How can we improve WHMCS?

Share, discuss and vote for what you would like to see added to WHMCS

Auto Provision Services ONLY if client has used 2FA

  • Lee Kitching shared this idea 1 year ago
  • Automation
  • 1 Comment

We would like to see an option to enable auto-provision ONLY if a client has used two factor authentication to login and place the order.


Login to post a comment.

Hi Lee,
Thanks fore taking the time to submit this idea.

Can you help us and the community understand more about the problem that this proposed feature would resolve?
Sure - the problem here is to tackle fraud when a customer has used an insecure/compromised password for their account; it's likely an edge case but we have recently seen this happen.

If a customers password is compromised, the fraudulent user can place orders using the customer account and stored payment method; registering new domains and hosting services in the customers account to be used for fraudulent activity. Whilst hosting services are generally easy to cancel, domains are not as easy to delete/cancel.

In the case of domain registrations - if a fraudulent domain is registered and the hosting provider is not "quick" to resolve the issue (and even if they are sometimes) there will be fees involved with deleting/cancelling those orders with the domain reseller provider - potentially costing hundreds or thousands depending on the number of domains which have been registered, the billing terms the hosting provider has with the domain reseller, and any cancellation or admin fees involved in domain deletion.

Having a 2FA check would be a balance between the current auto-provisioning and manually provisioning system for both products/services, addons and domains.

The way I would see this working is you would have to classify clients in the auto-provision system rather than a blanket setting:

- Clients without 2FA who are logged in require manual approval of their order (similar to how "do not auto provision" works).
- Clients with 2FA enabled and are logged in - domains and services are auto-provisioned without manual approval of the order (as the current auto provisioning works).
- Everyone else / logged out / no 2FA (eg, new customers, customers with no 2FA enabled) require manual provision.

You could extend on those settings to make it flexible, but having the ability to throw 2FA into the mix would really be helpful in preventing fraud through compromised account passwords.

I hope that helps, if you need me to expand on anything let me know :)