George Sturley
shared this idea
4 months ago
18
Votes
Login to Vote
WHMCS client accounts becoming compromised is a common problem, which can have catastrophic results.
Forcing 2FA using something like Time Based Tokens is all good and well, but in WHMCS' own words:
"This works with mobile apps such as OATH Token and Google Authenticator."
The problem with the above? Not everyone has a mobile phone. Additionally, not everyone has access to their mobile - perhaps they've lost it or simply don't have it with them when they need to access their WHMCS client account.
The solution? A One-Time Password (OTP) that gets emailed to a client when they try to login from an unrecognised browser (think: cookies). This is ideal since there's a good chance someone will have access to their email at any given time, often with no special software or devices needed.
WHMCS should implement this functionality to complement the existing options: https://docs.whmcs.com/system/authentication/two-factor-authentication/#2fa-services
This is very much a relevant choice; many companies inside and outside the web hosting industry have this option.
Forcing 2FA using something like Time Based Tokens is all good and well, but in WHMCS' own words:
"This works with mobile apps such as OATH Token and Google Authenticator."
The problem with the above? Not everyone has a mobile phone. Additionally, not everyone has access to their mobile - perhaps they've lost it or simply don't have it with them when they need to access their WHMCS client account.
The solution? A One-Time Password (OTP) that gets emailed to a client when they try to login from an unrecognised browser (think: cookies). This is ideal since there's a good chance someone will have access to their email at any given time, often with no special software or devices needed.
WHMCS should implement this functionality to complement the existing options: https://docs.whmcs.com/system/authentication/two-factor-authentication/#2fa-services
This is very much a relevant choice; many companies inside and outside the web hosting industry have this option.
1 Comment
Login to post a comment.