Jump to content

2 Factor Authentication with Google Authenticator missing

sgrayban

By sgrayban
in Using WHMCS

 Share

Recommended Posts

sgrayban Senior Member

sgrayban

Posted
  • Author
Posted

The only thing related to Google Auth is something called TOTP which is a thirdparty addon you have to pay for to use a free service from google -- not exactly ethical is it ?

 

Just like Yubikey it should be a standalone feature instead of bleeding us for more money.

0
Link to comment
Share on other sites
WHMCS Chris Senior Member

WHMCS Chris

Posted
Posted

WHMCS' software is extremely inexpensive for the functionality it provides. With TOTP included, it ultimately comes out to .56 CENTS a day (branded monthly version) to effectively be the only piece of software a Web Hosting Provider needs other than a server control panel to run their business.

 

I personally wouldn't call that bleeding.

0
Link to comment
Share on other sites
brianr Senior Member

brianr

Posted
Posted
WHMCS' software is extremely inexpensive for the functionality it provides. With TOTP included, it ultimately comes out to .56 CENTS a day (branded monthly version) to effectively be the only piece of software a Web Hosting Provider needs other than a server control panel to run their business.

 

I personally wouldn't call that bleeding.

 

Given that Matt had previously stated it would be free.... I must respectfully disagree.

 

http://forum.whmcs.com/showthread.php?48074-DuoSecurity-coming-to-WHMCS-soon!/page2&p=226272#post226272

0
Link to comment
Share on other sites
sgrayban Senior Member

sgrayban

Posted
  • Author
Posted
I am right along with you on this. While I wouldn't call it bleeding I'm also not using it currently either.

 

Very Very Frustrating to say the least.

 

Careful Mr. Chris doesn't like Mr. Matt getting called out on morals. Mr. Chris likes deleting posts that do that... he deleted mine when I pointed out that.

0
Link to comment
Share on other sites
brianr Senior Member

brianr

Posted
Posted
Yes because I don't want to end up being hacked like what happened here.

 

Just keep in mind, with everyone running around screaming for 2FA, it's only one piece in the puzzle. If I can exploit another vulnerability and download your entire WHMCS DB (this is a hypothetical, BTW) the fact you had 2FA in place becomes security theater.

 

2FA protects against bad guys using good credentials and, really, nothing more. On the client-side, limiting what occurs w/o administrator intervention (eg auto-order setup, or cancellation), and strong process review policies in place ("gee, this guy from California, US, logged in from China..."), will mitigate a great deal. On the admin side, obviously, it's harder to mitigate and 2FA, coupled with strong perimeter and application security, would likely provide a good benefit.

 

That said, I would like to see WHMCS start to provide better permitter security advice -- perhaps, for example, a tight set of mod_sec rules that could govern the members and admin areas. That sort of thing could help stop/prevent attacks that could otherwise be successful.

0
Link to comment
Share on other sites
brianr Senior Member

brianr

Posted
Posted
Anything is possible brianr but reducing any possibility of being hacked whether its server side or not is a goal everyone should have.

 

/agreed

 

However there is a point of diminishing return.... At what point does a) the cost involved, or b) the end-user complexity / support "cost" outweigh the benefit?

 

Given that Google Auth is an open protocol, and open app, and have an open source implementation, the "cost" involved should be zero. Now teach end users how to use it... That hurts.

0
Link to comment
Share on other sites
sgrayban Senior Member

sgrayban

Posted
  • Author
Posted
/agreed

 

However there is a point of diminishing return.... At what point does a) the cost involved, or b) the end-user complexity / support "cost" outweigh the benefit?

 

Given that Google Auth is an open protocol, and open app, and have an open source implementation, the "cost" involved should be zero. Now teach end users how to use it... That hurts.

 

Uhhh please explain what you are saying cause it just reads like ramblings or a tired person.

0
Link to comment
Share on other sites
brianr Senior Member

brianr

Posted
Posted
Uhhh please explain what you are saying cause it just reads like ramblings or a tired person.

 

Let me try to simplify....

 

WHMCS has applied a cost ($$$) to an open and fee standard (Google Authenticator free app and it's related IETF standards). This directly goes against Matt's prior posts in this forum on the subject.

 

Second, trying to get users to use 2 factor auth, specifically Google Authenticator is, simply, a royal pain in the ass. If you have non-technical users (and if you don't you're very lucky), many simply have a hard time "getting" it, and often require hand-holding through the setup process. This is complexity and it drives up the support costs for you and I to implement it for the end user.

0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept