How can we improve WHMCS?

Share, discuss and vote for what you would like to see added to WHMCS

  1. Home
  2. Ideas
  3. Clients
  4. Basic email-based 2FA for clients

Basic email-based 2FA for clients



1 Votes
Login to Vote
Instead of requiring a 3rd party plugin or time-based tokens for use with Google Authenticator, create a basic and easy-to-use "Email code" option built into WHMCS.

Many customers get confused with authenticator apps and QR codes etc, so it would allow a simple form of 2FA option for them to select whereby on login, WHMCS app sends the user a 6 digit code to their email to enter instead.

3 Comments

Login to post a comment.

WHMCSServices commented 17th December 21
I did something like with a module already
Official Response
WHMCS commented 24th October 21
Hi there,
Thanks for this suggestion.

There is a compelling detractor to implementing email-based Two-Factor Authentication, primarily that it doesn't represent a second authentication for most online services. For example, if the email addresses used to register the client account is compromised, then email 2FA would not provide additional protection; the bad actor could receive both the password reset email and the two factor passcode.

Probably the solution with least friction, particularly for less tech-savy users, would be a SMS passcode option (which is something Duo offers already). Bearing in mind there would likely be a fee for SMS messages sent. So perhaps a feature request for your preferred SMS provider would be a good route here?
Gary Hall commented 24th October 21
Granted, it's not as good as SMS or an Authenticator app, but it's better than nothing. We've found, no matter how hard we push, the vast majority of clients are either confused by authenticator apps, or frustrated at SMS codes - they simply don't enable either because it's too much hassle. And with SMS, if the users phone is compromised (or their computer if they have their SMS client on there too like iMessage) - then it's the same problem. 2FA is just a way to make it a bit harder for hackers/bad actors - email 2fa codes do just that, add a second layer of protection which is not much less secure than an SMS.