Jump to content

2FA Authentication on WHMCS is pointless because its limited to 1 per account

yggdrasil

By yggdrasil
in Using WHMCS

 Share

Recommended Posts

yggdrasil Senior Member

yggdrasil

Posted
Posted

I'm not sure if WHMCS developers have realized this but WHMCS only allows 1 single device to be added as OTP (Google Authenticator, Authy, etc) or a hardware device like YubiKey per account. This is both for customers and staff 🤮

This is more or less pointless because everyone suggests having as minimum two in case you lose one device. Now, yes, you can backup them with Authy or even save the QR image from something like Google or Microsoft Authenticator making the whole idea less secure but the same is not even true for something like YubiKeys or other hardware keys. This is exactly why Yubico suggests buying 2, in case you lose one. For example most sites and accounts on which I enabled this let you have more than one key or authenticator enabled, usually up to 5. WHMCS only allows 1 and just one regardless of the type. Its either OTP and or YubiKey or Duo Key and for my nightmare its also limited to just 1 single of the same...

This is extremely dangerous. Imagine you activate YubiKeys for your WHMCS staff and they lose them. Sure, you can deactivate it as admin but what if you are the admin and lost your key? You cannot use a backup key to log in and now need to mess the DB to reset your login. Even worse, what if you have a fixed key in your office and one on the go that you carry around? Now you cannot access WHMCS outside the office because again, only the fixed one plugged in the office is authenticated and you cannot enable your second key...

Please WHMCS, this is just lazy implementation. Users and Staff both should be able to add at least minimum 2FA device per account. If you ask me, I would at least allow 5. But in the security world, you are not even suppose to use something like YubiKeys unless you actually have 2, one main one and one for backup.

0
Link to comment
Share on other sites
  • 2 weeks later...
yggdrasil Senior Member

yggdrasil

Posted
  • Author
Posted (edited)

Does someone tried to add a second 2FA directly on the database maybe? I don't care to do this manually for my account even if it requires a hack but I absolutely need to add 2 FA devices per account. I know I can create a second staff account with the same privileges and even same password but that seems like annoying, having to be forced to use different admin accounts.

Edited by yggdrasil
0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept