cPanel & WHM Version 98 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

2 Factor Authentication (2FA) Grace Period

yatesf shared this idea 5 years ago
Open Discussion

2 Factor Authentication is a great security measure despite it's inconvenience. More users would probably make regular use of this security feature in WHM/cPanel if there were a selectable grace period option for not having to enter the 2FA code again for X number of days. This could be an option for the user at the time of entering the 2FA-code.


I'd suggest making the grace period configurable anywhere from 5 to 45 days. It might be a good idea to put an informational highlight at the time of entering the one-time-password (OTP) that suggests they only select a "grace period option" if logging in from a private computer. Therefore, make "no grace period" the default selection.


As far as development, I'd suggest hashing the userID with the OTP and $user_agent for client side cookie storage. During the 2FA sequence (after normal login authentication), check for the cookie existence and compare it to a DB table that contains the same hash for the corresponding userID that hasn't exceeded it's DB-stored expiration value. Maybe even perform more secure validation by re-computing the hash based on the client's actual $user_agent and the $userID from the login (which might mean storing the OTP in the DB vs the hash). Either way, if there's an unexpired match, skip 2FA, if not, present 2FA (while deleting the cookie). I know I've over-simplified the implementation, but I hope this helps.

Replies (1)

photo
1

It's better if can be device remember for a period of time. This is already implemented by "Duo Security "

Leave a Comment
 
Attach a file