Two-factor authentication in mobile version
Right now, if a user logs in to the mobile version of WHMCS they will not be required to enter a two-factor authentication code. Even if they do have it set up in their account!
Then when the user changes the URL to the regular desktop version, they will be logged in without having to enter a two-factor authentication code.
This is a severe security flaw as it allows anyone to completely bypass two-factor authentication.