How can we improve WHMCS?

Sure - the problem here is to tackle fraud when a customer has used an insecure/compromised password for their account; it's likely an edge case but we have recently seen this happen.

If a customers password is compromised, the fraudulent user can place orders using the customer account and stored payment method; registering new domains and hosting services in the customers account to be used for fraudulent activity. Whilst hosting services are generally easy to cancel, domains are not as easy to delete/cancel.

In the case of domain registrations - if a fraudulent domain is registered and the hosting provider is not "quick" to resolve the issue (and even if they are sometimes) there will be fees involved with deleting/cancelling those orders with the domain reseller provider - potentially costing hundreds or thousands depending on the number of domains which have been registered, the billing terms the hosting provider has with the domain reseller, and any cancellation or admin fees involved in domain deletion.

Having a 2FA check would be a balance between the current auto-provisioning and manually provisioning system for both products/services, addons and domains.

The way I would see this working is you would have to classify clients in the auto-provision system rather than a blanket setting:

- Clients without 2FA who are logged in require manual approval of their order (similar to how "do not auto provision" works).
- Clients with 2FA enabled and are logged in - domains and services are auto-provisioned without manual approval of the order (as the current auto provisioning works).
- Everyone else / logged out / no 2FA (eg, new customers, customers with no 2FA enabled) require manual provision.

You could extend on those settings to make it flexible, but having the ability to throw 2FA into the mix would really be helpful in preventing fraud through compromised account passwords.

I hope that helps, if you need me to expand on anything let me know :)