cPanel & WHM Version 114 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

WHM root access 2FA single use code if 2FA is no longer possible

Martin eaps shared this idea 8 months ago
Needs Review

When using 2FA on Root access Login, the 2FA system is an app on a mobile device that needs to be employed to generate the code.

This is fine, it's not quite true 2FA but it's close enough.

However, if for instance the mobile device is smashed, or is stolen, or is lost, this can potentially mean that access to the WHM root account is then impossible.

Dropbox, to their credit do employ a 2FA system which uses the same app, but which also employs showing the account holder 5-10 unique codes that each give a single short term access [to the Dropbox account].

Can WHM/CPanel add this ability to the current WHM 2FA system so that if a mobile device is lost or stolen that for a set number of instances (for example; 5) the user can still access the WHM root login (ie five seperate unique 2FA codes, each permitting log in for 1 hour only, for instance).

This can be a minor security risk, because these unique codes couldn't be time dependant; but they would only be single use codes and generated only at the time the 2FA is turned on and then shown to the user for them to store in an appropriate manner.

These shortcodes would replace the 2FA mechanism only, and would not replace the need for password, SSH Key or similar other usual authentication mechanism, but would be a literal life saver if a mobile device is lost or damaged

Replies (1)


Whenever I setup a 2fa code, I copy the setup code into Bitwarden (my password manager - I know 1Password also supports this) and also set it up in Authy (which is similar to Google Authenticator): so I have two things capable of generating the necessary code.

Leave a Comment
Attach a file