Jump to content
yggdrasil

FIDO2

Recommended Posts

It would be great if WHMCS can support FIDO2 login/authentication keys someday. I know it's a new standard but maybe before 2030 would be nice. I think its fair to ask this at least 10 years in advance to give WHMCS developers enough time. I would do it and release it to the open, but I forgot, the code is locked...

Share this post


Link to post
Share on other sites

If you're referring to using something like a Yubikey as the login (and not 2FA), that's less desirable, I feel. It moves logging in to only needing the key instead of needing it to confirm another login method like passwords. That's not 2FA, that's back to one, and one that's easier to have stolen.

Share this post


Link to post
Share on other sites
4 hours ago, bear said:

If you're referring to using something like a Yubikey as the login (and not 2FA), that's less desirable, I feel. It moves logging in to only needing the key instead of needing it to confirm another login method like passwords. That's not 2FA, that's back to one, and one that's easier to have stolen.

You can use the Yubikey in both scenarios actually, as 2FA, Fido, or even storing public keys. I'm actually with you on this. This is why I think for example the implementation on Windows 10 is flawed. Instead of requiring the key + another additional method (like password or fingerprint) you can log in just with the key, still better than just a password but not better than 2 methods. I can see how some people might find this useful but I agree with you on that. Still, for those people its not really more insecure than just using a password because the idea of a hardware key is that you cannot access it. Regular software or spyware can't access the key (I can't vouch how true or false that actually is...), since its hardware based, neither can for example a key logger since there is no password typed on the login process. Also, that setup would be only insecure if you have the key connected to the system at all times. Assuming you take with you and just plug it when required, its still better than 2FA based on software apps like an Android phone because that is software based and can be tampered or intercepted with other sort of software hacks.

On Windows the implementation is even more flawed because you don't even need to touch the key, it logs automatically without user intervention. Now, since WHMCS already supports 2FA, for those people using just a password (without 2FA), a single hardware key is still better than a typed software or saved in the browser.

If we want to be more picky, the nitro key is even better since its completely open source over the Yubikey which is now proprietary, so several people in the security field have retired its endorsement.

Edited by yggdrasil

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated