Jump to content

Two-Factor Authentication activation @ WHMCS


sgrayban

Recommended Posts

another factor about the Two-Factor Authentication

 

[h=4]Time Based One-Time Passwords[/h] Time Based One-Time passwords requires downloading an OATH application onto your smartphone or tablet, and optionally a bar-code reader.

Once activated a pop-up screen will present a QR code, with optional manual code to enter into your smartphone or tablet. Once scanned or entered, a time based one time password will appear within your OATH application providing the second form of verification used to log in.

Additionally, a backup code is presented which should be stored in the event that your smartphone or tablet is not accessible and you wish to gain access into WHMCS.

 

 

what happens if your clients dont have a smartphone or tablet

Link to comment
Share on other sites

what happens if your clients dont have a smartphone or tablet

WHMCS will buy and deliver them one at their home address.

Just kidding.

If they don't have a smartphone or tablet you can activate/purchase DUO SECURITY, it can send them the code by SMS or phone call.

 

I agree about WHMCS activating two-factor auth at their WHMCS installation, I believe they will just currently have too much work to do.

Link to comment
Share on other sites

so rather than pay then $1.50 a month i would need to pay them $3 per user per month. great business sense this is :twisted:

 

But that is not WHMCS problem. I mean, what can WHMCS do if your customers don't have smartphone/tablet? Just answer this question logically.

On the other hand, sending sms messages, phone calls... cost money.

By the way, they (the customers) cannot activate/setup two-factor auth if they cannot pass the setup, which requires having smartphone/tablet.

Edited by ljesh
Link to comment
Share on other sites

But that is not WHMCS problem. I mean, what can WHMCS do if your customers don't have smartphone/tablet? Just answer this question logically.

On the other hand, sending sms messages, phone calls... cost money.

By the way, they (the customers) cannot activate/setup two-factor auth if they cannot pass the setup, which requires having smartphone/tablet.

 

WHMCS are asking you to make your client area more secure by offering the two-factor auth which YOU activate from your admin area and not your customers. As i stated earlier and what WHMCS state a smartphone/tablet is required. I have already asked my clients their views on this and 60% of them who has replied dont have smartphones or tablets, so if i activate this they wont be able to login and any new clients that dont have smartphones/tablets would go elsewhere

Link to comment
Share on other sites

I have already asked my clients their views on this and 60% of them who has replied dont have smartphones or tablets, so if i activate this they wont be able to login and any new clients that dont have smartphones/tablets would go elsewhere

 

I see your confusion.

After you enable Time Based One-Time Passwords from your admin area of WHMCS, the customer may CHOOSE if they want to enable it for themselves. It won't lock out your customers that don't have smartphone/tablet (unless you force the OAUTH, but don't do that, it's not smart thing to do... it is an option, but you absolutely don't have to use it, and in your case it is recommended NOT to use it).

So, after you enable and configure the option from admin area, customers that want to enable two-factor auth can login to their customer area in WHMCS, go to their settings, and they will have a new tab to enable AND configure two-factor auth. If they cannot pass the setup (don't have smartphone/tablet, whatever the reason) two-way auth will NOT be enabled for their account.

Link to comment
Share on other sites

I see your confusion.

After you enable Time Based One-Time Passwords from your admin area of WHMCS, the customer may CHOOSE if they want to enable it for themselves. It won't lock out your customers that don't have smartphone/tablet (unless you force the OAUTH, but don't do that, it's not smart thing to do... it is an option, but you absolutely don't have to use it, and in your case it is recommended NOT to use it).

So, after you enable and configure the option from admin area, customers that want to enable two-factor auth can login to their customer area in WHMCS, go to their settings, and they will have a new tab to enable AND configure two-factor auth. If they cannot pass the setup (don't have smartphone/tablet, whatever the reason) two-way auth will NOT be enabled for their account.

 

Anyway this is something to think about in the future as i am in no hurry to upgrade to 5.2 on production side.

Link to comment
Share on other sites

I think you've all missed the point. The OP is asking WHMCS to activate it for their own client area for us customers.

 

Yes especially as they keep saying they run the latest version.. but my point about some clients not having smartphones/tablets is still a valid point as they dont mention anywhere that once this is activated from our admin area then individual clients can turn this on or off from their clientareas

Link to comment
Share on other sites

Their are two isses with this.

 

1. If you use a yubico key, then how do you access your account from a cell phone or tablet??

 

2. If you use oauth and you don't have a cell phone/tablet then how do you access your account??

 

Neither is 100% fool proof.

Link to comment
Share on other sites

The first point seems valid, cannot find my yubico to test things.

But for

2. If you have enabled and configured oauth once, but in the meantime lost the phone/tablet you still have 2 options

a) during setup of oauth WHMCS gives you a "reserve code" which is advised to write it somewhere and keep it safe. In case the scenario 2 happens, you can use that code just once to login to your customer area to disable two-factor auth OR to configure a new smartphone/tablet.

b) I believe admin still can login as client without being requested oauth so he can disable your two-factor auth.

Link to comment
Share on other sites

Hello,

 

You would simply enable it per user that has the ability to make use of it. Wether it be via Yubikey, Two-Factor via OATH modules, (requires smartphone/tablet), or Duo Security - which can perform this via SMS, or phone call.

 

It's an optional service that can be delegated per user, not one that must be forced across the board.

Link to comment
Share on other sites

The third party application you've installed on top of WHMCS at your discretion has no direct correlation to the development, licensing design, or future implementation of WHMCS. You are not required to use the built in Two-Factor Authentication functionality as it is an optional utility.

Link to comment
Share on other sites

WOW not sure how my post got so messed up here. I'll try it again.

 

WHMCS has created at least 3 ways to auth, OATH, Duo and yubikey. Now since they got hack just last year wouldn't Matt think that enabling this HERE would be prudent for his userbase that had there private info stolen ?

Link to comment
Share on other sites

WOW not sure how my post got so messed up here. I'll try it again.

 

WHMCS has created at least 3 ways to auth, OATH, Duo and yubikey. Now since they got hack just last year wouldn't Matt think that enabling this HERE would be prudent for his userbase that had there private info stolen ?

 

Link HERE please, I am curious to know what are you talking about :)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated