sgrayban Posted March 17, 2013 Share Posted March 17, 2013 It would be nice if WHMCS would activate the Two-Factor Authentication settings @ the main WHMCS.com site so it can be more secure for us users. 0 Quote Link to comment Share on other sites More sharing options...
easyhosting Posted March 17, 2013 Share Posted March 17, 2013 another factor about the Two-Factor Authentication [h=4]Time Based One-Time Passwords[/h] Time Based One-Time passwords requires downloading an OATH application onto your smartphone or tablet, and optionally a bar-code reader. Once activated a pop-up screen will present a QR code, with optional manual code to enter into your smartphone or tablet. Once scanned or entered, a time based one time password will appear within your OATH application providing the second form of verification used to log in. Additionally, a backup code is presented which should be stored in the event that your smartphone or tablet is not accessible and you wish to gain access into WHMCS. what happens if your clients dont have a smartphone or tablet 0 Quote Link to comment Share on other sites More sharing options...
ljesh Posted March 17, 2013 Share Posted March 17, 2013 what happens if your clients dont have a smartphone or tablet WHMCS will buy and deliver them one at their home address. Just kidding. If they don't have a smartphone or tablet you can activate/purchase DUO SECURITY, it can send them the code by SMS or phone call. I agree about WHMCS activating two-factor auth at their WHMCS installation, I believe they will just currently have too much work to do. 0 Quote Link to comment Share on other sites More sharing options...
easyhosting Posted March 17, 2013 Share Posted March 17, 2013 so rather than pay then $1.50 a month i would need to pay them $3 per user per month. great business sense this is 0 Quote Link to comment Share on other sites More sharing options...
ljesh Posted March 17, 2013 Share Posted March 17, 2013 (edited) so rather than pay then $1.50 a month i would need to pay them $3 per user per month. great business sense this is But that is not WHMCS problem. I mean, what can WHMCS do if your customers don't have smartphone/tablet? Just answer this question logically. On the other hand, sending sms messages, phone calls... cost money. By the way, they (the customers) cannot activate/setup two-factor auth if they cannot pass the setup, which requires having smartphone/tablet. Edited March 17, 2013 by ljesh 0 Quote Link to comment Share on other sites More sharing options...
easyhosting Posted March 17, 2013 Share Posted March 17, 2013 But that is not WHMCS problem. I mean, what can WHMCS do if your customers don't have smartphone/tablet? Just answer this question logically.On the other hand, sending sms messages, phone calls... cost money. By the way, they (the customers) cannot activate/setup two-factor auth if they cannot pass the setup, which requires having smartphone/tablet. WHMCS are asking you to make your client area more secure by offering the two-factor auth which YOU activate from your admin area and not your customers. As i stated earlier and what WHMCS state a smartphone/tablet is required. I have already asked my clients their views on this and 60% of them who has replied dont have smartphones or tablets, so if i activate this they wont be able to login and any new clients that dont have smartphones/tablets would go elsewhere 0 Quote Link to comment Share on other sites More sharing options...
ljesh Posted March 17, 2013 Share Posted March 17, 2013 I have already asked my clients their views on this and 60% of them who has replied dont have smartphones or tablets, so if i activate this they wont be able to login and any new clients that dont have smartphones/tablets would go elsewhere I see your confusion. After you enable Time Based One-Time Passwords from your admin area of WHMCS, the customer may CHOOSE if they want to enable it for themselves. It won't lock out your customers that don't have smartphone/tablet (unless you force the OAUTH, but don't do that, it's not smart thing to do... it is an option, but you absolutely don't have to use it, and in your case it is recommended NOT to use it). So, after you enable and configure the option from admin area, customers that want to enable two-factor auth can login to their customer area in WHMCS, go to their settings, and they will have a new tab to enable AND configure two-factor auth. If they cannot pass the setup (don't have smartphone/tablet, whatever the reason) two-way auth will NOT be enabled for their account. 0 Quote Link to comment Share on other sites More sharing options...
easyhosting Posted March 17, 2013 Share Posted March 17, 2013 I see your confusion.After you enable Time Based One-Time Passwords from your admin area of WHMCS, the customer may CHOOSE if they want to enable it for themselves. It won't lock out your customers that don't have smartphone/tablet (unless you force the OAUTH, but don't do that, it's not smart thing to do... it is an option, but you absolutely don't have to use it, and in your case it is recommended NOT to use it). So, after you enable and configure the option from admin area, customers that want to enable two-factor auth can login to their customer area in WHMCS, go to their settings, and they will have a new tab to enable AND configure two-factor auth. If they cannot pass the setup (don't have smartphone/tablet, whatever the reason) two-way auth will NOT be enabled for their account. Anyway this is something to think about in the future as i am in no hurry to upgrade to 5.2 on production side. 0 Quote Link to comment Share on other sites More sharing options...
Daniel Posted March 17, 2013 Share Posted March 17, 2013 I think you've all missed the point. The OP is asking WHMCS to activate it for their own client area for us customers. 0 Quote Link to comment Share on other sites More sharing options...
easyhosting Posted March 17, 2013 Share Posted March 17, 2013 I think you've all missed the point. The OP is asking WHMCS to activate it for their own client area for us customers. Yes especially as they keep saying they run the latest version.. but my point about some clients not having smartphones/tablets is still a valid point as they dont mention anywhere that once this is activated from our admin area then individual clients can turn this on or off from their clientareas 0 Quote Link to comment Share on other sites More sharing options...
MemoryX2 Posted March 18, 2013 Share Posted March 18, 2013 Their are two isses with this. 1. If you use a yubico key, then how do you access your account from a cell phone or tablet?? 2. If you use oauth and you don't have a cell phone/tablet then how do you access your account?? Neither is 100% fool proof. 0 Quote Link to comment Share on other sites More sharing options...
ljesh Posted March 18, 2013 Share Posted March 18, 2013 The first point seems valid, cannot find my yubico to test things. But for 2. If you have enabled and configured oauth once, but in the meantime lost the phone/tablet you still have 2 options a) during setup of oauth WHMCS gives you a "reserve code" which is advised to write it somewhere and keep it safe. In case the scenario 2 happens, you can use that code just once to login to your customer area to disable two-factor auth OR to configure a new smartphone/tablet. b) I believe admin still can login as client without being requested oauth so he can disable your two-factor auth. 0 Quote Link to comment Share on other sites More sharing options...
TheHostingHeroes Posted March 18, 2013 Share Posted March 18, 2013 hi i think enabling this for customers would just be problematic.. customers forgetting things or changing devices etc. I personally will only be using it on the admin side of whmcs for better security! 0 Quote Link to comment Share on other sites More sharing options...
WHMCS Chris Posted March 18, 2013 Share Posted March 18, 2013 Hello, You would simply enable it per user that has the ability to make use of it. Wether it be via Yubikey, Two-Factor via OATH modules, (requires smartphone/tablet), or Duo Security - which can perform this via SMS, or phone call. It's an optional service that can be delegated per user, not one that must be forced across the board. 0 Quote Link to comment Share on other sites More sharing options...
easyhosting Posted March 18, 2013 Share Posted March 18, 2013 so how would i activate this when i already have Oath installed on my WHMCs for use on another addon, as paying $1.50 a month to WHMCS for something that i already have on my WHMCS 0 Quote Link to comment Share on other sites More sharing options...
WHMCS Chris Posted March 18, 2013 Share Posted March 18, 2013 Hello, Activation is managed by the license system itself. It would require the $1.50 or $15/year fee to use the TOTP service. 0 Quote Link to comment Share on other sites More sharing options...
easyhosting Posted March 18, 2013 Share Posted March 18, 2013 Hello, Activation is managed by the license system itself. It would require the $1.50 or $15/year fee to use the TOTP service. this does not seem right as i already have the software on my WHMCS installation. 0 Quote Link to comment Share on other sites More sharing options...
WHMCS Chris Posted March 18, 2013 Share Posted March 18, 2013 The third party application you've installed on top of WHMCS at your discretion has no direct correlation to the development, licensing design, or future implementation of WHMCS. You are not required to use the built in Two-Factor Authentication functionality as it is an optional utility. 0 Quote Link to comment Share on other sites More sharing options...
sgrayban Posted March 19, 2013 Author Share Posted March 19, 2013 WOW not sure how my post got so messed up here. I'll try it again. WHMCS has created at least 3 ways to auth, OATH, Duo and yubikey. Now since they got hack just last year wouldn't Matt think that enabling this HERE would be prudent for his userbase that had there private info stolen ? 0 Quote Link to comment Share on other sites More sharing options...
ljesh Posted March 19, 2013 Share Posted March 19, 2013 WOW not sure how my post got so messed up here. I'll try it again. WHMCS has created at least 3 ways to auth, OATH, Duo and yubikey. Now since they got hack just last year wouldn't Matt think that enabling this HERE would be prudent for his userbase that had there private info stolen ? Link HERE please, I am curious to know what are you talking about 0 Quote Link to comment Share on other sites More sharing options...
openmind Posted March 19, 2013 Share Posted March 19, 2013 Link HERE please, I am curious to know what are you talking about It's not a link, Scott is talking about WHMCS securing the customer client area of their own site using the new auth protocols. 0 Quote Link to comment Share on other sites More sharing options...
sgrayban Posted March 19, 2013 Author Share Posted March 19, 2013 It's not a link, Scott is talking about WHMCS securing the customer client area of their own site using the new auth protocols. Exactly !! The HERE was to emphasize here as in WHMCS.com 0 Quote Link to comment Share on other sites More sharing options...
openmind Posted March 20, 2013 Share Posted March 20, 2013 Should have used bold instead, some people are easily confused 0 Quote Link to comment Share on other sites More sharing options...
sgrayban Posted March 20, 2013 Author Share Posted March 20, 2013 Should have used bold instead, some people are easily confused That's scary considering every member here is playing admin and offering services via WHMCS. 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.