Jump to content

FIDO2

yggdrasil

By yggdrasil
in Using WHMCS

 Share

Recommended Posts

yggdrasil Senior Member

yggdrasil

Posted
Posted

It would be great if WHMCS can support FIDO2 login/authentication keys someday. I know it's a new standard but maybe before 2030 would be nice. I think its fair to ask this at least 10 years in advance to give WHMCS developers enough time. I would do it and release it to the open, but I forgot, the code is locked...

0
Link to comment
Share on other sites
bear Senior Member

bear

Posted
Posted

If you're referring to using something like a Yubikey as the login (and not 2FA), that's less desirable, I feel. It moves logging in to only needing the key instead of needing it to confirm another login method like passwords. That's not 2FA, that's back to one, and one that's easier to have stolen.

0
Link to comment
Share on other sites
yggdrasil Senior Member

yggdrasil

Posted
  • Author
Posted (edited)
4 hours ago, bear said:

If you're referring to using something like a Yubikey as the login (and not 2FA), that's less desirable, I feel. It moves logging in to only needing the key instead of needing it to confirm another login method like passwords. That's not 2FA, that's back to one, and one that's easier to have stolen.

You can use the Yubikey in both scenarios actually, as 2FA, Fido, or even storing public keys. I'm actually with you on this. This is why I think for example the implementation on Windows 10 is flawed. Instead of requiring the key + another additional method (like password or fingerprint) you can log in just with the key, still better than just a password but not better than 2 methods. I can see how some people might find this useful but I agree with you on that. Still, for those people its not really more insecure than just using a password because the idea of a hardware key is that you cannot access it. Regular software or spyware can't access the key (I can't vouch how true or false that actually is...), since its hardware based, neither can for example a key logger since there is no password typed on the login process. Also, that setup would be only insecure if you have the key connected to the system at all times. Assuming you take with you and just plug it when required, its still better than 2FA based on software apps like an Android phone because that is software based and can be tampered or intercepted with other sort of software hacks.

On Windows the implementation is even more flawed because you don't even need to touch the key, it logs automatically without user intervention. Now, since WHMCS already supports 2FA, for those people using just a password (without 2FA), a single hardware key is still better than a typed software or saved in the browser.

If we want to be more picky, the nitro key is even better since its completely open source over the Yubikey which is now proprietary, so several people in the security field have retired its endorsement.

Edited by yggdrasil
0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept