You may notice many failed login attempts to your clients and we would like to protect them from being hacked or something like that by banning clients for failed login attempts (similar to the admin) this feature is important and useful.
[u]Vote for it.[/u]
Merged Ideas
Client Area Brute Force Protection
I wonder how WHMCS didn't implement brute force protection for client users till now,Every one can use simple brute force methods to hack in our clients passwords.Please implement this simple feature ASAP.
Keep track of each client's unsuccessful login attempts. Keep this data in an in-memory storage (such as Redis) or database. https://papaspizzeria.io/
nonet67
commented
1 month ago
I want much more of this. Thanks for the info! Your page has excellent information, therefore I saved it. https://retrogamesfree.com
Marc Dawson
commented
26th June
Oh I feel like that's too harsh. Instead, give them the opportunity to log in another way. https://baldigames.com
scysys
commented
15th May 18
That's not good. There are users who never know there passwords. They will try it and try it and try it. Until they found their Password.
2FA and Strong Passwords are enough security. Those Systems where Users banned for an time of 15 Minutes or so on are very unresponsive and makes customers angry.
Mike Q
commented
3rd May 18
This is a basic, universal standard practice utilized and expected by just about any serious website or software with a login system. Even some legacy CRM systems some of my IT clients run that were made in the late 90's and early 2000's have this basic measure built in.
Is there any reason for WHMCS *not* to implement this?
Official Response
WHMCS
commented
18th January 17
Hi,
Thanks for taking the time to submit this idea and for everyone's votes.
I'd just like to take a moment to speak about the benefits of Two Factor Authentication. With two factor authentication enabled, a malicious actor cannot access a client's account - even with the genuine password. Two factor can be made mandatory for clients to login via Setup > Staff Management > Two-Factor Authentication > Force Clients option.
If using DuoSecurity for two-factor authentication, you can even temporarily prevent further authentication attempts after a certain number of failures.
Please do continue to vote and comment on this suggestion.
Mitch
commented
18th January 17
Clients cannot be expected to enable 2-Factor Authentication, nor should it really be enforced for clients. This is not a solution to the issue. I still don't understand why something so basic hasn't been implemented yet.
Mitch
commented
18th January 17
If you're not going to add this - maybe add a PreLogin hook where developers can fail a login under certain circumstances. This would mean a developer can implement this themselves, but also bring many other possibilities at the same time.
Amir Zano
commented
18th January 17
Hey John,
You can't force all clients to use 2-Factor Authentication why? simply not all clients using smartphones :)
So if we added this feature like the admin area it would be very good step and i think it's very easy to include it in a future update this will prevent anonymous clients accounts login attempts.
15 Comments
Login to post a comment.
https://papaspizzeria.io/
2FA and Strong Passwords are enough security. Those Systems where Users banned for an time of 15 Minutes or so on are very unresponsive and makes customers angry.
Is there any reason for WHMCS *not* to implement this?
Thanks for taking the time to submit this idea and for everyone's votes.
I'd just like to take a moment to speak about the benefits of Two Factor Authentication. With two factor authentication enabled, a malicious actor cannot access a client's account - even with the genuine password. Two factor can be made mandatory for clients to login via Setup > Staff Management > Two-Factor Authentication > Force Clients option.
If using DuoSecurity for two-factor authentication, you can even temporarily prevent further authentication attempts after a certain number of failures.
Please do continue to vote and comment on this suggestion.
You can't force all clients to use 2-Factor Authentication why? simply not all clients using smartphones :)
So if we added this feature like the admin area it would be very good step and i think it's very easy to include it in a future update this will prevent anonymous clients accounts login attempts.