cPanel & WHM Version 80 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!
 
This object is in archive! 

Two-factor Authentication

kabatak shared this idea 6 years ago
Completed

Two-factor authentication is a must


We really need two-factor authentication at least for WHM login. A lot of sites are already implementing this to protect from unauthorized login.


The most doable two-factor authentication would be similar to the Google Authenticator which is just a simple

security token app for Android, iPhone, Blackberry.


How it should work would ideally be like this: the user logs

in to WHM using username and password (first factor), then he will be asked

to enter a code generated by his mobile app (second factor). If it all matches with values from the server, then the login will be

permitted.


I think it's safe to say it really doesn't have to be "enabled" by

default but an optional service at least for WHM login (for root and

reseller accounts) and if the dev team's time permits, individual Cpanel

accounts too.


This will totally eliminate brute force attacks and will even make password theft useless.


If this is too much, then the absolute easiest way to this is to require email verification for every login. Email verification is not really two-factor but good enough than nothing.

Best Answer
photo

This is the blog post that will go up soon:


cPanel & WHM version 54 introduces the new Two Factor Authentication features for the cPanel and WHM interfaces.


This feature is one of the most highly requested features on features.cpanel.net. We at cPanel worked hard to bring this in cPanel & WHM version 54. When the new feature hit the EDGE release tier, some of our third-party integrators grew concerned about the changes made to the API system.


We decided to extend our Two Factor Authentication system to the API to help increase the overall security of your account and prevent a loophole that would essentially bypass Two Factor Authentication.


This complicates the API calls our third-party integrators use to manage resources that cPanel & WHM control. This would cause many third-party applications to outright break for accounts with Two Factor Authentication enabled.


To help mitigate this breakage and give our integrators time to update their applications we have hidden access to the interface in the WHM User Interface. Root administrators can enable the UI by creating a touch file through the command line.


To enable the Two Factor Authentication UI on your system, enter the following command:


touch /var/cpanel/enable_twofactor_ui && /usr/local/cpanel/whostmgr/docroot/themes/x/rebuildtmpl


**This may cause some third-party applications to break significantly and cause applications to improperly store data**


If you are running a stock cPanel & WHM system with no third-party applications or API customizations, you can enable Two Factor Authentication with no worries.


Webhosts and third-party developers should take some time to test their applications with Two Factor Authentication. Examples of how to do API calls with Two Factor Authentication(link to sdk.cpanel.net).

Comments (259)

photo
15

I would suggest (at least the option for administrators, of) building on existing two-factor auth instead of creating a new one.

For example:

https://alteregoapp.com/

http://code.google.com/p/google-authenticator/

photo
12

I support two-factor authentication, such a service should support different third party services. We use Yubico.com for other internal authentication services and would like to see a two-factor autchentication service supporting this.

photo
4

I really like if Google Authenticator was an optional choice for WHM and cPanel users.

This makes password theft and brute force attacks as good as useless.

photo
3

I think it should also allow to choose a different service as well. Duo Security also offers a good solution. If programed correctly there can be certain built in choice and a way to add a custom one

photo
2

I would love to have Google Authenticator for WHM and cPanel (optional if the user wants), it would definitely make me sleep better at night.

I'm suprised something like this hasn't been implemented yet.

photo
3

I'm sure each dev/admin that want/need this can pool up some $ towards making it happens. Can someone Kickstart it?

For example, my company, which is very small, would gladly pony up $2~4k for it. Many devs/admins can contribute something on the hundreds, and a lot can contribute on the tens.

So, if there is any company willing to kickstart and develop a cPanel addon for this, it would be absolutely great. They can even charge a small monthly fee (but of course, the support would have to be solid).

photo
3

what about Authy? https://www.authy.com/ I use it already for Bitcoin... WHM needs this!

photo
3

I like it, but I do not want the solution to rely on cloud based solutions. Other options such as RSA SecurID, RADIUS Auth and others should be supported.

photo
5

Jonathan Roza wrote:

I'm sure each dev/admin that want/need this can pool up some $ towards making it happens. Can someone Kickstart it?

For example, my company, which is very small, would gladly pony up $2~4k for it. Many devs/admins can contribute something on the hundreds, and a lot can contribute on the tens.

So, if there is any company willing to kickstart and develop a cPanel addon for this, it would be absolutely great. They can even charge a small monthly fee (but of course, the support would have to be solid).

Sorry. For something as critical authentication, I want Cpanel to develop it themselves. Its not that hard to to RADIUS auth, Yubi auth .... I'm not paying extra for it myself and I'm not paying a third party monthly fee either.

photo
4

We can protect our Gmail accounts with two factor authentication, and we can also protect our WordPress blogs with two factor authentication. It is now time for us to be able to protect our WHM and individual cpanels with two factor authentication.


Have you heard...


Internet vandals with 100,000 computers under their control are attempting to hack our WordPress sites 7 days per week, 24 hours per day, 365 days per year, and it is only a matter of time until they start working on our cpanels.


I talked to someone at cpanel and he thinks maybe the cpanel programmers might introduce two factor authentication in November of 2014. (With software development it is always hard to know when specific features might be introduced... It could be longer...)


The cpanel guy says that users like you and I can move two factor authentication along faster, if we work together and write comments in this thread and click the [LIKE This Feature Request] Button directly above these comments. So if you know anyone that cares about two factor authentication, sent them to this page. Nuff said.

photo
2

I think offering several methods of two-tier auth would be a great thing. Each company running servers has a slightly different authentication setup now and already may have a two-tier setup for other systems (e.g. WHMCS how supports Duo Security, OATH and physical keys).


What I would like to see however is to enable specific types of authentication for certain accounts. Personally, I think initially I'd just want to protect the root account - that would include with WHM but also having the same two-tier setup on SSH etc. There's no point securing one without the other...


I don't feel for resellers/client accounts it's so important at present however. Sure it'd be nice, but it won't affedct the entire server and we have plenty of account backups. Not saying it wouldn't be good to be able to roll it out to them, but I think initially, I'd be really keen to see the root account protected.

photo
3

Two factor authentication has been requested several times especially after an admin with a weak password got hacked on his test server.

Two factor via Google Authenticator would be great but another method would also be required for non smart-phone / tablet owners.

photo
3

Edward Jerome wrote:

Internet vandals with 100,000 computers under their control are attempting to hack our WordPress sites 7 days per week, 24 hours per day, 365 days per year, and it is only a matter of time until they start working on our cpanels.


I totally agree with you. For me this is a high priority feature. With this we can easily prevent that our (client) cPanel/WHM accounts gets hacked.

I even protect simple boards/WordPress websites with Google Authentication, so why not protect cPanel/WHM with it.

photo
2

I would like to see OATH support. Once you have the app. configured on your ipod, iphone, etc. it works without need for internet connection. And for those without smartphones. Let cpanel generate lists of 10 auth codes at a time users can print out and put in their wallets. That is an easy option that should fit just about anyone's needs.


Please don't try and charge a monthly fee for something that is free, like others are doing! W*MCS

photo
3

This would make security in cPanel much better than that of Plesk and other competing panels.

photo
2

We would love this for our clients and staff. Please consider making this into development.

photo
5

I've been thinking a bit about this. Two factor for WHM root user, yes, but for our company it would need to be optional for each customer, we would have it deactivated by default and allow each customer to activate it or not.


We would prefer it not to necssaraly go via Googla Authenticator, I think there should be a plugin system for this, cPanel should provide a Google plugin and allow others to make their own plug-ins.


Some might want to do the second auth by e-mail, others by a text message code, others might develop their own app, and some have this in their customers pannel.


I think there needs to be a default (maybe sending a 6 digit code my e-mail) and a plugin for Google Authenticator.


We would like this to be modular, let administrators decide what options customers have (choice between, None, E-mail, Google Auhenticator, Custom 1, Custom 2…) and a default.


We could then choose a fefault of None and allow E-mail, Google Auth. and Custom 1 and customers could decide which method they like best.


What would be rearly nice would be to also let customers decide which methods they want to allow, so they can have a main method and a secondary method in case their phone brakes down for example.

photo
2

Two-factor authentication a necessity today.


We really need two-factor authentication for WHM and cPanel

logins, and if also possible, webmail.


We have deployed cPHulk Brute force protection and it shows tens

of hacking attempts to access root, cPanel and webmail!


Caphtcas reportedly annoy people but they protect them! I won't

mind them for WHM, cPanel logins and webmail


The additional security don't have to be "enabled" by

default. It can be user/admin selectable.


This will deal a death blow to brute force hacking attacks.


I also like the suggestion to optionally to 'require email

verification for every login', which is better than nothing.

photo
2

I think Google Authenticator is the most popular solution : pratically everyone who is using two factor authentication is also using Google authenticator.


...i would strongly recommend going with this solution.

photo
6

Our company secures almost everything else with yubikeys but WHM has fallen behind and is now a glaring security issue. We absolutely need this soon or we will be forced to leave cpanel behind.

photo
3

Just to add, that I was initially not at all sure about this feature, but having tested it on dropbox, I must Google Authenticator is easy to use, easy to implement (thinking about giving our customers the option for our customers area…) and is compatible with all phones.


The idea of a 6 digit code that changes every couple of minutes is simple yet very effective and almost fun to use !


All companies that offer this security that I know of, so this on an optional basiss. Each user can choose to activate this functionality or not, depending on how much security they want.


I know some customers who like me would love to have this, while others would hate it.


For us, this needs to be a user based decision, for some hosts this might not be wanted and some might want this enforced.


Please make this feature an option that can be activated in WHM for either WHM only or WHM and cPanel, that you can set the default value (on or off) and that you can allow or disallow users to change the status.


We would have it off by default and allow users to turn it on.


Thanks

photo
3

Two-Factor Authentication would be brilliant for sure. It increases security big time, especially in cases where people use the same password over multiple sites.

But yes, this should be OPTIONAL at all times. Not only optional for root, but also for clients. And agreed it should be free, instead of for example the WHMCS folks who figured it needs extra payment... cash cow 2.0.

It's *very* important this makes it in to cPanel asap.

photo
2

All big companies are doing this now, Twitter, Dropbox, Gmail… :)


Google authenticator seems to be the closest to what everyone is using… either by fonctionality or by actually using it.


We will have optional two factor authentication for our new customers area so it seems important to have it also for the control pannel.

photo
2

Lets get this rolling cPanel... I use two factor auth for every online service that supports it! cPanel servers are attacked and targeted all the time. The last thing any admin wants is to have their reputation ruined due to outdated authentication standards.


Lets see this in cPanel by December at the latest!

photo
2

Liroy van Hoewijk wrote:

Two-Factor Authentication would be brilliant for sure. It increases security big time, especially in cases where people use the same password over multiple sites.

But yes, this should be OPTIONAL at all times. Not only optional for root, but also for clients. And agreed it should be free, instead of for example the WHMCS folks who figured it needs extra payment... cash cow 2.0.

It's *very* important this makes it in to cPanel asap.

Maybe this should be another feature, but. Additionally I must say, that for inconvenience of a (dare I say, dumb) client loss his phone/second factor auth device. There should be a removal of the assigned second factor device/app, through email verification, or something else. I think email verification should be sufficient. Its unlikely that some guy loose the second factor and email password, unless he uses the second factor for email too.


I'm with you guys, i'm in favor of it, but I just liked to add this comment.

photo
2

Its very important featured

photo
2

I've seen plenty of good, free and open source implementations of TFA lately. One noted example is a WP plugin called "Two Factor Auth" by "Oskar Hane". We have been recommending it to clients. It proves, there are plenty of simple ways to deal with those times where you forget your password, don't have your free to use cellphone or paid token device (or the charge is off your cellphone). Remember once setup, the token devices don't generally connect to the internet.


In this and other implementations, the author has three permanent one time panic codes, and a renewing One Time Password. So you can put the onetime only panic codes in your wallet (obfuscate!) or your safe (lol) and you'll always have those as the final resort. Then you can write down the current One Time Password that resets every time you use it. Maybe that should go in my wallet?


I have to have a list of these for client sites now. And i sometimes use them when I am in a panic. And then it has an email feature, where if you input your code wrong or don't have it, it sends the One Time Password to your email account of record. So you can mess-up, look at your email and use the One Time Password (it basically is a reminder service, feature), PLUS your regular password and you are in.


There is the ability and flexibility to choose your authentication algorithm and see your private key (secret) in text or base 32.


The user can choose to use a device/app Third party apps (Duo Mobile, Google Authenticator etc) or just the email feature (no device or app needed).


Once more it is an example of a creative, resourceful, free, flexible and useful implementation, completely opposite of implementations like WHMCS which is buggy, not free (even to use a free device and app which I do), not flexible enough to handle droves of real world, busy clients, with their own lifestyles and unnecessarily bent toward being a profit center rather than a real world solution.


I have no connection to the plugin, and am not endorsing it, but offer it because who doesn't spend a lot of time supporting WP installations these days, and I figure it is easy for others to checkout as compared to other implementations on more obscure platforms.

photo
2

We would definitely support and vote for two factor authentication to be a key addition to WHM and for cPanel. The following would be our suggestions :


1) It should be an option to have it switched on by default for all users server wide and then also selectable whether it is forced on users or can be switched of by users via cPanel

2) It should also be an option whether it is forced on resellers and their users or not

3) While Google Authenticator is proven, there should be other options and a fantastic one that we are using and recommending to clients (especially those using WordPress) is Launchkey - http://www.launchkey.com simply uses a swipe key on a phone or tablet but which can also be configured to be multi-factor including geo fencing

photo
4

We support and vote for this enhancement. We're implementing 2 factor authentication for all of our internal systems and for our clients optionally in WHMCS. Yubikey is our preferred method but any solid 2 factor authentication is better than none.


Actually, 2 factor authentication for something as critical and sensitive as cPanel shouldn't be viewed as a "feature request" or enhancement. It's become a requirement in today's world and I hope cPanel puts a much higher priority on this work soon.

photo
4

Yubico.com<3

photo
4

We use WHM/cPanel primarily where I work, and I go in to do all flavors of things to harden the server and our sites(most of us utilize YubiKey by Yubico). Having two-factor authentication for WHM will remedy the Achilles heel of our server and allow me to rest easy instead of watching the firewall terminate brute force attempts.

photo
4

Agreed. This is a must-have for us soon. I actually am quite surprised that WHM doesn't yet have Two-factor. Looking forward to cPanel's excellence in this soon!

photo
4

We're now looking into implementing Yubikey two factor authentication into as many of our systems as possible.


While Google Authenticator is good and better than not having two factor authentication and easy to use for customers for sysadmins yubikey seems an excelent choice.


I believe two factor authentication needs to be plugin based. Users need to be able to choose their two factor authentication system (none, google authenticator, yubikey, swekey…) as well a system to get around the two factor authentication (like a 100 character password or soemthing that is possible to do but too compicated to use on an every day basis).

photo
2

This is something what must have every web application :)

photo
2

guipedreira wrote:

Maybe this should be another feature, but. Additionally I must say, that for inconvenience of a (dare I say, dumb) client loss his phone/second factor auth device. There should be a removal of the assigned second factor device/app, through email verification, or something else. I think email verification should be sufficient. Its unlikely that some guy loose the second factor and email password, unless he uses the second factor for email too.


I'm with you guys, i'm in favor of it, but I just liked to add this comment.


From a security point of view, i'd say it would be better if client has to contact support at that point. Email reset isn't exactly the most secure thing around. :)

photo
2

Liroy van Hoewijk wrote:

From a security point of view, i'd say it would be better if client has to contact support at that point. Email reset isn't exactly the most secure thing around. :)
Agreed, this is our point of view too. However for the hosts that take along time answering support questions, this might be usefull. Each host should be able to enable or diable this. We would disable it.

photo
4

How long we will have to wait until this feature will be available.

The network can be dangerous place.

If someone downloaded a program thats kind of a keyloagger, the hacker can easily log into the owner's cpanel and do whatever he wants.

Its really dangerous, 2 factor authentication may prevent it.

photo
2

Please cPanel, do offer us this feature!


It will make as hosting provider look more professional and acting to protect our customer's privacy and data.

photo
2

Dave Etheridge wrote:

Two factor authentication has been requested several times especially after an admin with a weak password got hacked on his test server.

Two factor via Google Authenticator would be great but another method would also be required for non smart-phone / tablet owners.

I too would like to see another option other than the dreaded smart phone app. Personally I don't own one and probably never will as my little cost effective lg is all I need.

photo
5

There are currently two places where the root user can login, ssh and whm. SSH uses pubkey authentication which is secure enough, however for whm we have to run 40+ character passwords that we change regularly. If we had a yubikey two factor authentication for WHM we would feel much more secure.

photo
4

Both User and cPanel owners, and workers can benefit from this! Yubico the best Two-Step verification company I have ever worked with has a team that can design a plug-in for cPanel and offer there products to cPanel customers that would love to own to secure there cPanels once and for all from hackers! They sale security keys along with there service that you simply plug-in to a usb port and simply touch a sensor button on it and it outputs the verification code without the need of a keyboard!

photo
3

Absolutely want/need two-factor.


Already have several other accounts on Google Auth and a few on Authy. Prefer Google Auth. Would not want a third one that needs to be maintained.


Do NOT use text message. Unreliable/not functioning internationally. Can't use it on a plane etc.

photo
2

Please, add soon.

photo
2

Please add 2FA. This is a must have, and should be prioritized pretty high. Thanks.

photo
2

Yes please. CSF does a nice job at blocking failed attempts but they just move on to another exploited computer that's not blocked.


SMS would be horrible idea. We use our Cpanel server in a data center environment where several people need access. The open source Google Authenticator would be perfect. Their app is available on all smartphone app stores and is free.

photo
3

A MUST! Let's move on.

photo
5

Please add a Google Authenticator - Two Factor Authentication or a Yubikey - Two Factor Authentication for WHM and CPanel, thanks.


Today it's very very important for the security of the Server and VPS.


Thanks in advance.

photo
2

Google Auth NOW!!!

photo
2

Yubico would be my choice for two factor authentication. Also Yubikey can be coded to auto logout the WHM admin user if the key is removed from the computer through the "Challenge response Ping" feature. Excellent feature to keep things secure in the office.

photo
3

I had another customer ask me about this today. Customers are seeing easy to use two-factor authentication at places like Google and Facebook, and they are starting to understand how it makes things so much more secure. Then they wonder where it is for their hosting service. I'd really like to see this as an option for cPanel/WHM.

photo
3

I am user of CPanel. I would love this security feature for cPanel/WHM as well as webmail authentication.


thanks.

photo
2

Email authentication likely would not be ideal, as I know i login to cPanel/WHM from a mobile device quite often for quick changes.


Yubikey would be awesome, but you have to pay for that.


There is also Duo Security, but thats only free for 10 (maybe 5) users.


The best free option would indeed be Google Authenticator, but keep in mind not everyone has a google account, and I think this is required.


In the end, dual auth may (if implemented) end up being Opt In since you cant guarantee that everyone has a way to do dual auth.


Just food for thought. :)

photo
2

You don't need a Google Account to use Google Authenticator. I am able to add Microsoft/Facebook/Dreamhost/etc into the application. Google Authenticator is built on a 2FA standard that doesn't require Google for anything. I currently have a Google Authenticator plugin installed in my WordPress that works great with the GA application but there are other apps that do the same thing. Actually, currently on my Android phone I use the Y Authenticator application with my YubiKey NEO that does that same exact 6 digit OTP generation. The nice thing about my NEO is that all I need is the Y Authenticator application and an NFC capable phone/tablet and have all of my OTPs. I can't believe how cPanel has totally dropped the ball on this since this discussion/feature request has been going on for over a year. There should not even be a question that this should be available for the WHM panel let alone the end user cPanel. A no one should be opting for the 2FA to be required, it should be opt-in. I could see a time where it could eventually be required as it becomes more of a standard, but in general the 2FA should have options for both SMS and Google Authenticator(i.e. code generator app).

photo
1

Yehuda Katz wrote:

I would suggest (at least the option for administrators, of) building on existing two-factor auth instead of creating a new one.

For example:

https://alteregoapp.com/

http://code.google.com/p/google-authenticator/

You have a very good point there. Presently, the setup of a Google Authenticator in Centos 6 is complicated, to say the least. This should be a one click install in WHM.


http://solutionsfox.com/2012/06/google-authenticator-ssh-on-centos-6/

photo
1

I'd like to see it implemented same methods as Gmail option and this week LinkedIn also implemented it:

http://www.slideshare.net/linkedin/two-step-verification-on-linked-in/1

photo
1

It should be opt in by default , it should be able to be enforced or disabled by the whm root user and be pluggable so hosts can add all 2FA systems they want, google authenticator and yubikey being our two favorates. This should be made to work for both cpanel and whm access.

photo
1

Users should also have the choice of all availble methods when they opt in.

photo
2

Big fan of Yubico's YubiKey (with VIP for PayPal). CPanel needs to stop listening to this huge list of requests, and start doing something about it. All popular Open Source CMS's have done it.

photo
1

cPJerry wrote:

Email authentication likely would not be ideal, as I know i login to cPanel/WHM from a mobile device quite often for quick changes.


Yubikey would be awesome, but you have to pay for that.


There is also Duo Security, but thats only free for 10 (maybe 5) users.


The best free option would indeed be Google Authenticator, but keep in mind not everyone has a google account, and I think this is required.


In the end, dual auth may (if implemented) end up being Opt In since you cant guarantee that everyone has a way to do dual auth.


Just food for thought. :)

Luckily, a Google Account means nothing on Google Auth unless you're using it for Two-Factor on Google.com itself.


To use Google Auth on a third party system, no Google Account is required. I vote in favour of this feature.

photo
2

Yes Google Authenticator is must !!

photo
1

This is insane how come! we don't have this two factor its a must option now days with so many vulnerabilities and exploit such heartbleed and stuff this option is must!

photo
1

I suggest starting with the to most requested methods :


Google Authenticator

YubiKey


Keeping in mind that this should be pluggable so other methods could be added by third parties or added at a later time my cPanel if requested enough.


We would be glad to help out if required with the yubikey implementation as we have already implemented it in a few PHP projects. I'm quite sure yubikey themselves would also be pleased to see their hardware working with cPanel :)

photo
1

I implemented Google Authenticator to MyBB in about a day.

You say it might be released in approximately 2 years.


I heard the Ajenti team is actually listening to it's customers, you should seriously consider doing the same or I'll be switching. Maybe it helps if I ask them to integrate GAuth and then recommend them to every single CPanel user I know (and I know quite a few, 40-50).

Google Authenticator and/or Yubikey, NOW. I can't believe I actually pay for this.

photo
1

This would be a great security feature considering even if your root password is compromised they still have to have your random code, thus giving you time to see that someone has broken in and change your root pass and security settings before they download or damage anything.

photo
1

Necesary for WHM / Admin & resellers atleast

photo
1

The following plugin uses the cPanel Security Policy API


https://github.com/steadramon/cpanel_addon-twostepauth

photo
1

Definitely would like to see this feature released.

Google Authenticator would be a definite want in terms of platforms supported.

photo
1

Será muito útil!

photo
1

Disagree

photo
1

Would LOVE this on my system. Vote for the use of Google Auth

photo
1

+1 for this

photo
1

Please add this at least for WHM for a start, or at least for root WHM access for now. That part can probably be implemented very fast.

Google Auth, and Toopher should be the first two options, and you can extend it later with other account levels, service access and auth services, but this basic option for WHM root account should be implemented asap.

photo
1

Not sure that toopher is the most known. I don't like the idea of not being able to login if my phone isn't charged and the two I've seen to be the most used are google authenticator and yubikey. We use yubikey because you can have multiple Keys so you always have access.


One important thing in the integration of 2FA is that it's important to be able to authorize multiple devises for a single user. That could be two phones and an ipad or 3 yubikey's

photo
1

This two-factor authentication with one click was requested one year ago and tops the ranking of cPanel feature requests. Anybody from cPanel could update us about when this feature will be available? Many thanks.

photo
1

It's minimum security requirements.

photo
1

When it will be Implemented ?

photo
1

This will be a great improvement to the overall server security! please implement it asap :)

photo
2

Yes, I totally agree with such an implementation. We need some extra hours of sleep for godsake! :)

I tried to implement RV2Factor for WHM and cPanel but it wasn't the best of experiences. WHM part worked OK after LOTS and LOTS of efforts and after granting SSH and WHM access to their tech support (!!!) but the cPanel bit never worked as intended so I never launched it for my clients.

photo
1

This needs to be implemented as soon as possible. Authy is a good alternative.

photo
1

With all the web attacks, I am surprised they havn't done this yet.

photo
8

COME ON cPANEL! It has been over a year since this request was published, and yet you still haven't even replied to this. Look at the facts:


1. There have been numerous vulnerabilities like Heartbleed, Goto FAIL, and the CCS Injection vulnerability which Two Factor Authentication helps provide extra security against.


2. Hundreds (maybe thousands) of websites already have support for Two Factor Authentication.


3. Major CMS and portals have support for Two Factor Authentication, like WordPress (which has many plugins for this), Joomla (which has Google Authenticatior built in), and Drupal.


4. One of your competitors (Parallels Plesk) ALREADY SUPPORTS TFA with Google Authenticatior and Clef under their extensions catalog. You can see this in their demo with the username admin and the password panel.

photo
3

WAKE UP CPANEL!!!!

Let me just say I've received 67 emails TODAY about people ATTEMPTING to break into the WHM portion of the server. My server is pretty secure, but I just know two-factor authentication will ALMOST COMPLETELY eliminate this brute force garbage, and other hacking attempts!!!

photo
1

Google Authentificator will be the best think for WHM access ! :-)

photo
1

+1 would be a great security feature.

photo
2

+1 using Google Authentifcator would be great too.

photo
1

This here is a must! Where are Cpanel?

photo
1

This is something we really need. Either though Duo Security or Google Authenticator would be great

photo
1

Why use proprietary software and why lot of people supports Duo Security or Authy and stuff like that? There are many open alternatives that cPanel could use like LinOTP and make the same cPanel server or a central one an Auth solution instead of using 3rd parties for our security. So you trust your data on a 3rd party company that may shut down or change policy or anything else?

photo
2

Bueler?


Where's cpanel at?

photo
1

Any news !

photo
1

I tried Googling this subject up and landed here. Hopefully this will be enabled soon. CloudFlare uses an app Authy that gives you a login code.


Regards, Doc

photo
1

Jacob Munch wrote:

3. Major CMS and portals have support for Two Factor Authentication, like WordPress (which has many plugins for this), Joomla (which has Google Authenticatior built in), and Drupal.


Joomla 3.2+ ships with both yubikey and google authenticator plugins baked in btw.

photo
2

+1 for adding two-factor authentication options to cPanel — hopefully this is a no-brainer in light of the unending stream of breaches over the last 18 months.


Also, +1 for adding Clef as one of the 2FA options. After testing many of the options (Authenticator, Authy, Toopher, Verisign VIP, et al.), I found that Clef provides a simpler and more enjoyable 2FA user experience than token-based options:

  • No passwords: Clef uses distributed PKI instead of passwords — it literally replaces passwords.
  • No temporary codes: Clef does not require temporary codes, the use of which many users find to be cumbersome (e.g., racing against the timer to find the right code on the list [e.g., in Google Authenticator] and then to type the code before it expires, etc.)
  • Single sign on and off with optional timed expiration: sign in once, and you are signed in everywhere; stay logged in indefinitely or until a set time; log out once and you are logged out everywhere.

Additionally, Clef seems to be gaining significant traction as a top-tier 2FA solution. For instance, Parallels Plesk recently added Clef as its preferred 2FA solution. Clef's WordPress plugin has become more popular than Google Authenticator's plugin, it is recommended by CloudFlare, and several top-tier hosts such as SiteGround, Raid Hosts, and 9th Node include Clef automatically with WordPress installs.(Note: I do not work for Clef or anyone else . . . just a webmaster/old hack who cares deeply about the security of my sites.)

photo
1

PRECISAMOS URGENTEMENTE

photo
1

This is a HUGE must for the WHM side of things and would be nice to also allow customers to decide if they want to use it. I would very much suggest using the Google Auth since it is the most widely used. :)

photo
2

Two Authentication for a server is good. this will secure you from to be hacked and virus attack. you can access from different access thus will improve your website much better speed. get more example : http://www.results396.in/

photo
2

Are we really facing a year old thread with over 400 votes? And still without any feedback from CPanel?

photo
1

Cpanel does't give any feedback until a feature gets close to planning stages. If you look at the feature requests by popularity once everything that's planned is implemented we are left with 2FA, nginx, DNSSEC, incremental remote backups, so my guess is, judging on difficulty and popularity that 2FA could be one of the next large feature requests to make it to the planned stage. Wait and see...

photo
1

I'd love for yubikey to also be an option for 2FA instead of just mobile app!

photo
1

Please - 2 factor by Google auth

photo
1

Google Auth Will do the trick for me! Please add it

photo
1

Frankly I'm astonished cPanel.net is behind the curve with this one. So yeah, please add my vote.


Next I'm going to go over to GoodYear.com and vote for tires without inner tubes.

photo
1

I came across this thread after searching for some form of two factor authentication I can implement on our sites WHM login. As an IT security analyst and someone who follows the headlines, I'm shocked this has not been implemented yet! This gets my vote!

photo
1

It would be nice if it also supported yubico otp and/or u2f devices.

photo
1

Has my vote too!

photo
1

Another vote for 2FA. Duo Security and/or Yubico is needed. Having our cpanel's vulnerable like this is very bad.


I am truly astonished that this hasn't been enabled years ago, especially considering how many big time hacks go on and how important this software is to running a web server.

photo
1

It would be really good to have this feature with twilio API. +1

photo
1

This feature request is two years old... WHAT ARE YOU GUYS DOING besides ignoring this?

photo
1

I just added tfa to a couple of Drupal sites, 10 minutes or so and it's working fine. I use SSH with key pairs, limit access to my IP, all kinds of stuff. Yet anyone from anywhere can attempt to brute force my main account on the server -- and of course this goes on all the time as others have noted.


Yes, definitely add TFA to the WHM / Cpanel accounts.

photo
1

This is currently the second most popular requested feature and appears to have sat dormant for 2 years. I can see that implementing this would be a big job but it would bring very real benefits to whm/cpanel users.


Hopefully cpanel could at least provide a timeline for this feature. ???

photo
1

Can't believe this is not a thing yet.

photo
2

Hello,


I am investigating two-factor authentication. Would using a tool like Google Auth, that is already installed on many user's phones, be acceptable?


This would give no third party a direct access to a server. I have used Google Auth on my wordpress site, and find it simple and clean. Would that approach work?


I look forward to your feedback.

photo
1

Hello Travis,


We don't use google auth because if your phone isn't charged or is in repair then you wouldn't have access. It's a good system just not adapted for companies as they don't all provide smart phones to their employees.


For us the rearly important one is yubikey. It's used by Google themselves and by other large companies. Yubikey's advantage is to allow multiple keys to be added and does't require a phone.


The most used free system is google auth, the most used paid system is yubikey. There are other that are popular such as clef, swiftkey etc.


Please make it so people can create their own plugins so each supplier can provide their own system.


My vote goes for both google auth and yubikey for the first version, implemented as plugins so it's easy to add other ones.


Yubikey is just as secure on the server side as google auth. You just submit the key to their servers and ask if it's valid or not. You still use normal password as well as 2factor so even if their servers were compromised one day it wouldn't give direct access to whm.

photo
1

The server admin should be able to enable/disable 2fa auth methods and each user (whm or cPanel ) should have a list to choose from. If you have paid hardware then you will want to use that method, if you don't then you will want to use google auth.


Each user must then be allowed to associate more than one devices (multiple phones for google auth, multiple keys for yubikey) as it's important if one is lost or stolen to be able to log in with another one to disable the missing device.

photo
2

Another point i've just thought about...


On the login page I think it's important to not hive any indication about a username or password being correct, so you can't show 2fa after submitting the username and or password, you should have a choice of available 2fa methods (none, google auth, Yubikey etc.) maybe just simple tabs befor submitting password... So that the user has to know which method his account uses. Yubikey and google auth both have a single text area, so if these are used they maybe you wouldn't need to select which one so it could just be an optional field without having to choose. But other systems might not have a field to fill in ? (Clef requires to generate a code bar that is scanned by a phone and swift keys auto allow logins without the user pressing on a button), not sure we would persoanly allow those two methods as to keep it simple, google auth (free) and yubikey (paid). No indication should be given as to why the login failed.


Taking into account how all 2fa systems work, just an optional 2fa field (with optional written clearly so new users don't think they have to put something there) should be ok. Systems that don't use it can just leave it empty (users without 2fa, swift keys, clef etc.)

photo
2

This has a big +1 from me too - I would love to see 2FA on my WHM and cPanel accounts. I already use Google Authenticator (as do many others here), so this would be great.

photo
3

Yes, please give us 2FA.


This is how I would do it.


whm-login-page-security

photo
1

Travis Ellis wrote:

Hello,


I am investigating two-factor authentication. Would using a tool like Google Auth, that is already installed on many user's phones, be acceptable?


This would give no third party a direct access to a server. I have used Google Auth on my wordpress site, and find it simple and clean. Would that approach work?


I look forward to your feedback.

This is a great idea, Google Authenticator is a great app and I use it daily. Two factor authentication would be great for cPanel and should be considered a must now a days for providing security.

photo
1

Travis Ellis wrote:

Hello,


I am investigating two-factor authentication. Would using a tool like Google Auth, that is already installed on many user's phones, be acceptable?


This would give no third party a direct access to a server. I have used Google Auth on my wordpress site, and find it simple and clean. Would that approach work?


I look forward to your feedback.


Google Authenticator is perfect as you do not have to have a phone to also have access. There are desktop programs as well!

photo
1

Hi Travis,


Any ETA on when this feature will be implemented? (I see the conversation has been going on for 2 years already...)


Many thanks in advance,


Frederic

photo
3

Hi Frederic,


My Team is currently working on GreyListing to fight spam. We likely have another 3-4 weeks of development on that feature. After that we will be working on Two-Factor.

photo
1

Thanks Trevis,

I really appreciate the rapid feedback and all the good work you guys are doing.

Looking forward to seeing it implemented once you're done with GreyListing.

How many weeks of development do you envision Two-Factor to take?

Cheers,

Frederic

Travis Ellis wrote:

Hi Frederic,


My Team is currently working on GreyListing to fight spam. We likely have another 3-4 weeks of development on that feature. After that we will be working on Two-Factor.

photo
1

Thanks guys that's a great function we must have now a day for security. Very often I will ask my hosting company to make configuration for my server. If we turn on this two-factor might be a hard for them to access. I suggest we should have a whitelist of ip address (as an option) to login without the two-factor while other ip require to input the two-factor.

photo
1

Travis Ellis wrote:

Hi Frederic,


My Team is currently working on GreyListing to fight spam. We likely have another 3-4 weeks of development on that feature. After that we will be working on Two-Factor.

Good to hear! More and more services are supporting two-factor authentication and important services like WHM/cPanel cannot lack behind and I'm glad to see you guys are working on it.


The growing number of attacks scares me even when using a huge random password and forcing TLS with strong ciphers!

photo
1

Is really a must. Please, make this, all we needs most security!

photo
1

Seen as this has been suggested two years ago, has cPanel implemented it?

I am all for 2 FA, and currently use the Google Authenticator app for nearly everything so would want to use it again.

photo
2

Travis Ellis wrote:

Hi Frederic,


My Team is currently working on GreyListing to fight spam. We likely have another 3-4 weeks of development on that feature. After that we will be working on Two-Factor.

Just noticed your response. Thats fantastic. So work is expected to start soon? I cant wait!

photo
1

I cannot believe this request has been sitting around for so long. My servers are hardened and firewalled and despite my active attempts at keeping it secure, a password was broken through brute force a couple of weeks back. All it took was this one incident and cp.php uploaded to destroy the security of one of my servers.


If two-factor was available, this would not have happened. I'm currently exploring other options in regards to hosting software solutions. Cpanel has let me down tremendously.

photo
1

Google Authenticator does a good job!

https://www.twilio.com/blog/2013/04/add-two-factor-authentication-to-your-website-with-google-authenticator-and-twilio-sms.html

The Microsoft has also implement Google Authenticator into their website, so why cPanel does not?

photo
1

I certainly agree with this request. However, I must stress that it needs to be a widely available system... Google Authenticator works perfectly for this.

photo
1

Please for the love of god cpanel.


I just tried using RV2Factor which is a third party 2FA product and its a piece of CRAP.


Could not activate it and took them 4 days to answer a support ticket as I could not even get it working.It cant be THAT hard to put 2FA into Cpanel can it????

photo
1

If you really want a kind of "two factor" support right now you should get a key like a Yubikey and program the second slot with a fixed strong password and use this as the second part of your password (as yubikey presses enter after writing the password).


It would be great to see Google Authenticator support (with SMS fallback) but I would be even better to see Yubikey support.

photo
7

I am still gathering a bit more data for this feature, but the overall things I am hearing are:

Google Auth

Yubikey


If we provided these two as supported 2FA systems would that satisfy your requirements?

photo
1

that would work for me... I use GA for almost anything - saves needing "yet another app...."

photo
1

Yes, the Google Authenticator support would be fantastic. A majority of third party websites I use that offer 2FA integrate with Google and their 2FA API, so utilizing that would be ideal as it is already a common choice for 2FA.

photo
1

Travis Ellis wrote:

I am still gathering a bit more data for this feature, but the overall things I am hearing are:

Google Auth

Yubikey


If we provided these two as supported 2FA systems would that satisfy your requirements?

Hey Travis


That's really great, You can also review Authy .. That's good one

photo
1

Yes, Google Authenticator is the mostly used authentication for many websites, and its easy to use. +1 here

photo
1

Travis Ellis wrote:

I am still gathering a bit more data for this feature, but the overall things I am hearing are:

Google Auth

Yubikey


If we provided these two as supported 2FA systems would that satisfy your requirements?

Yes, Google Authenticator is a good option. Also, you can check the new FIDO standard (recently adopted by Google) that enable users to authenticate to sites with a FIDO key (like Yubico).

photo
2

+1 for Yubikey

photo
1

Also a +1 for Yubikey from me :) Like it better than GA but it would still be great to have as many people use GA too.

photo
1

+1 for Google Authenticator - easy to use, and I already use it for a bunch of other things, so it would be great for me!

photo
1

+1 for GA, albeit Yubikey would be fine too!

Thanks.

photo
1

Travis Ellis wrote:

I am still gathering a bit more data for this feature, but the overall things I am hearing are:

Google Auth

Yubikey


If we provided these two as supported 2FA systems would that satisfy your requirements?

Heya Travis,

GA and Yubikey are good however I would like to see one enterprise level option added also. Duo Security offers 10 free users and is quickly becoming the defacto standard in enterprises (mainly because of the ease of integration including into SSH protocols as well as other web applications) as well as the very user friendly feature of a push notification requesting approval as the second factor.


I think at minimum GA and Yubikey are good but I would REALLY like to see DuoSecurity supported as well (hey, if LastPass can support it then I am sure you can as well) and would provide a good option for enterprises as well as large shared hosting companies that wanted to implement enterprise level security to protect their shared hosting accounts.

Cheers,Stuart

photo
1

What happen the update Generation?

photo
2

Travis Ellis wrote:

I am still gathering a bit more data for this feature, but the overall things I am hearing are:

Google Auth

Yubikey


If we provided these two as supported 2FA systems would that satisfy your requirements?

Travis,


Duo Security is enterprise grade security as mentioned above. The guys at Facebook and even Google Ventures/Google execs themselves use DuoSecuirty and invested money in the company. As well as NASA, tumbler and me. =)


https://www.duosecurity.com/success-stories/facebook


http://blogs.wsj.com/venturecapital/2012/02/28/google-ventures-backs-duo-security-to-fight-online-fraudsters/


Duo Security also supports TOTP passwords, Yubikey and other standards. Meaning users can use it for Google Authenticator TOTPS and add the Yubikey tokens. So its an ALL IN ONE and Free for 10 users.


SMS, Push. Iphone/Android and other mobile apps.


You can easily integrate Duo Security to CPANEL with their WEB SDK:


https://www.duosecurity.com/docs/duoweb


Client libraries are available for Python, Ruby, Classic ASP, ASP.NET, Java, PHP, Node.js, ColdFusion, and Perl.


Just my 2 cents.

photo
1

Travis Ellis wrote:

I am still gathering a bit more data for this feature, but the overall things I am hearing are:

Google Auth

Yubikey


If we provided these two as supported 2FA systems would that satisfy your requirements?

Yes, that's all we require. It would be nice however to be able to extend it to for example allow a mobile phone number to be entered and to use a third party API to send a text message with a code.


Here is how we are going to implement 2FA to our Client Area :


1) Backup auth system : SMS and unblock code generation

2) Allow multiple devices, to be authorised : Google Auth, Yubikey (allow multiple Google Auth phones and multiple Yubikeys on a single acccount

3) Allow user to add IP's that don't require 2FA and manage per IP if an e-mail alert is sent for each IP when users logs in.


The two important things we request are :


Multiple devices/2FA systems per account.


Ability to quite easily add third party systems to allow other 2FA suppliers to write their own plugins and for webhosts to write their own custom plugins like sending mobile text messages, or having a button in their client area that gives the code unblock code.

photo
2

Travis Ellis wrote:

I am still gathering a bit more data for this feature, but the overall things I am hearing are:

Google Auth

Yubikey


If we provided these two as supported 2FA systems would that satisfy your requirements?


- Google Authentication

- Yubikey

- DuoSecurity


This makes it possible to for everyone use the Two-Factor Authentication. Not only for those who like SmartPhones or External Devises. I have been using DuoSecurity for years already for simple UNIX root logins. This method enables phone call or SMS option for two-factor authentication. I strongly suggest to add ALL of these three options.

photo
1

Below is a copy of my blog post contribution to this discussion over at my journal at:


http://www.leeteq.com/series/protecting-user-accounts/cpanel-whm-2fa-discussion-contribution-2015


***************


**This is an important strategic choice**


Generally speaking; Mobile solutions should not be the ONLY option.

(but practical as one of several options)


There are many scenarios and security considerations that requires that one can log in securely even (or especially) when the mobile network(s) are inaccessible, so a system that depends on that is by default a strategic problem, especially for server admins and (web)services. It is not an acceptable situation to introduce a solution that requires either mobile network availability or that the mobile phone is not lost/stolen/broken or its battery is dead.


For server platforms, it is also a question about how to deal with the responsibility for the security on mobile phones, if a 2FA solution is only dependent on the mobile device, which can be hacked.


*Remember; this is NOT just an end-user challenge for cPanel...**


This is not only a question of protecting a login, but also the very server or site administrator which may open up access to more than just one web site or cPanel account. IMO, server admins need to be able to enforce hardware based tokens for at least some of the accounts, and for this, both price, durability and form factor comes into the picture, in addition to the security architecture itself.


Some server scenarios also have the aspect of time criticality: There are situations when time is critical, and it would be unacceptable with unnecessary delays cause by mobile phone/battery problems, stolen/misplaced phones, or the like. It is also unpractical to keep extra/spare phones available as they would need to be charged/available, etc. There is a need for a solution that brings flexibility to the table.


A solution should also cater for using the same security token with several accounts, and enable blocking/temporarily disabling/enabling of such whenever some may be misplaced.


Below, I outline the flexibility that Yubikeys provides:


**Strategic elements for both cPanel.net and all of us:**

1. WHM and cPanel are strategic elements by nature. cPanel caters for the admins and business developers that serves services and solutions for the greater public. Today's most flexible example, Yubikeys, can be configured for (FIDO) U2F, Yubikey OTP, Symantec VIP, OATH-HOTP, OATH-TOTP, "Challenge-Response" / HMAC-SHA1, OpenPGP, Secure Element, CCID Smart Card...


2. The Yubikey server and software are Open Source (!)


Think about that for a moment:

- What does that open up of hyper-relevant possibilities for a PLATFORM like WHM/cPanel? We can for example bundle the Yubikey server as a Softaculous installation script, so that the key verification does not need to rely on (only) the Yubikey public server, but can be self-hosted inside cPanel...!


3. "Challenge-Response" mode:

- Yubikeys can be configured to use one of its slots/functions in "Challenge-response" mode, and the smallest version physically "disappears" into the USB slot and can stay there. Just touching its edge is enough to operate its two modes. That "Challenge-response" mode is also very relevant for server environments that can for example deal with (and enhance) the timeout of user logins by challenging the physical key without user invention, eliminating a huge annoyance for most admins and users. Combined with the fact that the server is Open Source software, this is significant. Combined with the physical form factor of the "nano" model, which does not stick out of the USB port at all, the convenience and practical value of this is significant.


4. Two-factor solutions based on SMS/Mobile phones are unnecessarily vulnerable, as they very prone to theft, loss, destruction, etc. Server solutions CANNOT be limited to something that becomes a show-stopper whenever the coffee happens to spill over the mobile phone (again), its battery just went dead (again), or its lost (again)... Yet it is practical to be able to have such mobile 2FA solutions as ONE OF SEVERAL options, which the Yubikey also provides.


5. Server solutions sometimes also need a physical, hardware (server-side, in-place) solution, which also should be supported.


6. Physical SSH login security with Yubikey + password (client-side) (need access to and physically press the Yubikey and provide a password. Even if network/router/connection is hacked, someone accessing the files on the client computer, copying its local private key file or the like, still cannot log in.


*****


**Practical insights regarding the Yubikey:**


(Why the Yubikey exactly? It just happens that right now the Yubikey is perhaps the most flexible, practical and affordable long-term example out there... Correct me if I am wrong, but from a server solution perspective, who else provides this flexibility, convenience and security, at such a low cost? )


- The Yubikey is a configurable, driver-less hardware USB token. It identifies as a normal USB KEYBOARD, which means there is NO need for software drivers on any computer or mobile phone.


- It is (VERY) small, cheap, water-proof and virtually indestructable.


- Yubico's Yubikey was the first major supplier to support the new 2FA standard from the global http://www.FIDOalliance.org (members: Paypal, Google, Microsoft, Alibaba, DuoSecurity, MasterCard, Visa, Samsung, Yubico, etc. See https://fidoalliance.org/membership/members/ )


- Yubikey can be (one of) your DuoSecurity token(s)


- Google Accounts (and Alipay in China) can be protected by Yubikeys through the supported FIDO standard. Google refers to this as a "Security key", without naming Yubikey specifically in the initial description.


- Paypal Accounts: The Yubikey VIP model can protect Paypal Accounts. Paypal supports the Symantec VIP (Versign Identity Protection) standard. This works in SOME countries, like US, Canada, UK, Germany and others (more are coming). (Paypal does not know or care about the Yubikey specifically, as long as it is a valid VIP code that is returned) This is a special model of the Yubikey, but as with most of the Yubikey models, it comes with 2 slots/(configurable)functions, so the normal Yubikey OTP is also there by default.


- It does NOT use/have a battery, which means it lasts MANY years.

TOTP limitation (side effect): services that use TOTP (Time-based OTP), must either use mobile apps like Google Authenticator or DuoSecurity in conjunction with the Yubikey to get the current time stamp (from the mobile phone clock), or install Yubico's own, free software on computers running Windows, Mac or Linux in order to interact with the Yubikey and get the current time from the computer clock.

(PS. This is NOT needed for the mentioned normal operations with OTP, Google Accounts, Paypal or the like.)


- Mobile apps: The Yubikey can be used with both DuoSecurity app, Google Authenticator, and more, both with the physical connection USB cable (standard+most Yubikeys), and NFC (see below)


- The latest Yubikey NEO model comes with NFC (Near Field Communication) support (wireless connection) that can be used with mobile phones (close proximity, no cables or physical connection necessary). This means that you can swipe the mobile phone over your pocket where your Yubikey is safe on your physical key chain or the like, without taking the Yubikey out of your pocket. Just swipe, and you get the code on the mobile screen. This can be an interactive two/three step process, or totally automatic, depending on the setup.


- The One-Time-Password (OTP) tokens are different each time, yet still identifies that particular Yubikey against either the free Yubico public server, or against your own implementation of that free, open-source server.


- You can install ready-made, open-source software on your Windows, Mac or Linux computer to use the Yubikey to also secure your computer account(s) logins. The software is managed at Github. (I _THINK_ all the clients are also open source (not only the server), not 100% sure about the Windows client though, haven't checked that (yet).


- We have used free, open-source Yubikey plugins/modules for CMS systems like Wordpress and Drupal for years. (which we use cPanel to host and administer...)


*****


**Recent Updates (April 2015):**

- Google just updated their Two-factor authentication interface and multi-account admin services, and it is now very convenient to use and administer Yubikey(s) for teams (read: FIDO-compliant Security Keys) to protect Google Accounts.

- Yubico just launched a new pricing scheme, both lowering the prices and also now avoids confusion and dilemmas by no longer pricing the ultra-small Nano model(s) separately. It just became easier to choose.


*****


**So:**


cPanel.net can certainly (help us all) kill more than one bird with this stone if you let this technology choice also be a (long term) strategic decision.


We should not a) be dependent on (only) mobiles, or b) have a situation where we are walking around with x bulky devices in our pockets, catering for a variety of proprietary services that does not support convenient global standards. It is far more practical to support a global standard that also lets end users have some freedom of choice as of which standard-compliant product they will use.


The FIDO path is here to solve this, and currently I would be both very pleased (seriously; anything for the better...) and (very) surprised to find anyone giving Yubkeys serious competition. (form factor, price, open-sourced server, etc.)


See more information about the global FIDO alliance here:

https://fidoalliance.org


Regards,

Leeteq XV :-)

photo
1

I would encourage you to take a look at the SQRL protocol as well: https://www.grc.com/sqrl/sqrl.htm

photo
1

PS. (a note to my previous post) The current FIDO standard does not currently offer solutions that address all concerns, though, so as far as I can see, making sure of NOT choosing solutions that can NOT be (also) used with Yubikeys, offers the greatest flexibility.


And, for example, consider the power of enabling easy installation/activation with configuration wizard of the open-source Yubikey server from inside WHM... How about reaching out to the Yubico devs at Github for a talk about the options?

photo
1

I support this but would inquire as to how you'd handle having multiple administrators (support staff)

photo
1

If this is implemented correctly you would be able to add multiple devices per user, this is a requirement for Yubkey and I don't see what it wouldn't be done like this in the same way.


For logging purposes, it would probably be better to create a full reseller account per user anyway to you could know who did what instead of everyone using the root user but if you still want to do this, it should be possible by adding a key per employee. T

photo
1

duplicate entry, can be deleted

photo
3

I support this but would inquire as to how you'd handle having multiple administrators (support staff)

photo
1

Just going to throw it out there, this is one of the reasons I suggested Duo Security.


With Duo, you can set up multiple numbers/devices/methods on a single user... VERY handy, so you could assign all your mobiles to the "root" user of each server and then each person could authenticate...


So some form of enterprise authentication such as Duo for things like datacentres I think is necessary.


Take that same case with google authenticator. Short of sharing the scan code, you have no way to manage multiple device access. Say you then need to revoke one person's access you have to send out a new scan code for everyone to copy and put into the GA device.


With Duo... you just revoke the phone "device/number" and they can no longer authenticate with two factor auth, it is immediate and does not interrupt everyone elses access.

photo
1

The advantage of duosecurity isn't that you can have multiple devices in the system because all correctly implemented 2FA systems should allow this, but that you can accept all the different 2FA methods. However while I agree to pay for Yubikey's I don't think Duosecurity is viable if you have more than 5 or 10 users unless you only use it for administrators and not for customers.

photo
1

Also, forgot to mention earlier, following on from what @bellwood said above, I think it is imperative that there are two levels considered for activating two factor authentication.


One is on the user side, for people using cPanel (and they should be able to activate it even if the hosting provider does not use it globally on the server). The other is on the WHM/admin side which needs to be configured separately (and quite distinctly from the user side).


I guess it would also be beneficial to have an overall setting which dictated to users that they have to use two factor authentication as well (when referring to the cPanel config specifically).


Also when looking at two factor I think Web Logins and SSH needs to be looked at as a minimum.

I must be up to my 6c or 8c by now... what can I say :D passionate about the topic.

photo
1

Agreeing with @nerdzoll about the distinction between controlling 2FA for WHM and cPanel accounts, and also - or especially - about the ability (option) to enforce 2FA across the server (1) and ideally also on spedific/selected accounts.

photo
1

I am also curious about the benefits of using DuoSecurity's services.


But for a general solution, I think that cPanel needs to avoid locking the solutions into anything that enforces cross-continent communication for such critical features.


With the ongoing surveillance debates etc., there are an increasing amount of clients outside the North American continent that will require that the authentication traffic does NOT involve "external" servers, and nowadays, in particular US services. Here in Europe for example, we need to be able to offer alternatives that ensures the whole communication happens within the EU. We have projects that even use this as part of building confidence these days: specifying that "no data leaves EU", as one of the points of sale.


I would think that cPanel dont want position themselves outside of this scope unnecessarily.


Does DuoSecurity have fully independent services on each continent? For the data, that is already being guaranteed by providers such as Google. I am not sure, but I think Google Authentication is either already offering that, or on its way to be enforced to do so by the legislative authorities in EU.


However, I both want to look for alternatives outside of their reach, and avoid locking into a webservice/vendor for the authentication. That is why Yubico is extra interesting, as they maintain an Open-Source, free authentication server that anybody can host themselves. That traffic does not even need to leave the server.


There is no conflict between Yubikey and DuoSecurity, though. They can happily co-exist and be used in tandem.

My point is just that I think that it is imperative to consider (optional) shipping with a built-in authentication server.


It should become easy as in a click-to-play to choose between DuoSecurity, Yubico Public Server, or Self-hosted Yubikey server, and get a standard installation and configuration options right out of the box.


Market potential / new services:

Obviously, here is also a potential new server security (co-)administration market potential. (Added managed hosting just for periodic security updates and security reviews for the self-hosted server.)

photo
1

(Plus, technically speaking, it is not nice to be dependent on reaching out across the Atlantic (in this example) just to be allowed into a server whose whole operation is perhaps inside the European continent. It adds an unnecessary dependency on irrelevant parts of the internet backbone. Same goes for other continents. I think this is a valid concern.)

photo
1

Keep in mind that 2fa is not only about technology but also management. In fact management is very hard thing especially when user lost their credential. For yubikey, it works for corporate where you know each other but not for hosting environment which most done remotely. It may work for 2fa for root SSH but not practical for cPanel user. And not easy if you outsource support to 3rd party vendor. How do you handle the hardware token distribution? And how to get the new one if you lost usb key, redistribution takes time. It is worst than mobile. On mobile, no need to distribute, you can download app right away. If user lost mobile, put it on the verification process in the same way as user request to change the password.


As I am only one here already implement 2fa on cpanel/whm. I would suggest you to think based on application by application. You cannot make it once for all services.


- Console; this is highest level. If 2fa is implemented here, you will need to find a way in case root is locked out.


- SSH; PAM is required. But manage credential on several severs is a nightmare. I would suggest you run secured box as a SSH gateway then configured it to passwordless access to the target server. And secured cPanel server by allowing only SSH gateway to access it.


- WHM, cPanel, webmail interface; cPanel already provide a mechanism to implement 2fa. It calls cPanel Security Policy Plugin since 11.28 (https://forums.cpanel.net/threads/new-feature-in-version-11-28-security-policy.169118/). There are free and paid cPanel plugin already implement 2fa through this.


For cPanel and webmail interface, it is quiet useless if you cannot secure FTP, POP3 and IMAP though.


- POP3, IMAP, FTP, Webdisk; don't bother on 2fa. Outlook, thunderbird, ftp clients, and etc. do not support it. But you should implement separate application specific password similar to GoogleApps ( https://support.google.com/mail/answer/1173270?hl=en)


PS: if cPanel want to built in support Symantec VIP, I can help you negotiate. According to the size of servers run cPanel, it will cost less than 0.8$/credential/month. Keep in mind that this is not per server, it is per person who activate the account. 1 credential can use for unlimited cPanel server.

photo
1

*removed*

photo
1

I don't get it, this is the second highest voted request on the site and it is not even in planned stage, let alone in progress? Come on cPanel, give your users what they are asking for.

photo
3

I agree with you, Paul.


I have stopped posting ideas on this thing, simply because I have the feeling that it is easily used in ticket handling to direct customers towards the features portal so they can close the support ticket, and not deal with the need of following up themselves actively.


While I'm all in favour of that evolution, the feature requests really should be monitored more actively. Also - even requests with very low animo should be treated by staff, as some of the requests I posted are in fact bugs that have never been fixed.


I don't know why, but I simply have the feeling that cPanel used to tailor customer requests a lot faster and better in the past. Now I'm just waiting to be bored by yet another theme that is not the core thing that needs improvement.


Just my two cents really.

photo
1

In our opinion, cPanel has actually been releasing more features at a faster rate than before. They have dealt with 5 or 6 year old large feature requests.


They haven't actually planned this feature, but I believe it will soon be marked as planned as they said they would start working on it once Greylisting have been released and it has just made it to current.


If you check out how much they have released in the last two years it's quite a lot and defenetly more than what they used to release per year 4 or 5 years ago.

photo
1

I agree that this is URGENTLY needed. I also cannot help the impression

that this is studiously ignored, due to unfathomable reasons.


Furthermore,

at this point in time, any discussion of the technology used is

pointless as long as Cpanel has not expressed its willingness to

actually deploy 2-factor. I will gladly accept any 2-factor technology

they finally use, while hoping that it is a widely accepted, and easily

available technology.

photo
1

cPanel confirmed in March that they will put it on their priority list after they have finished the then current main task(s). This is not anymore about whether or not to implement 2FA in cPanel/WHM, but about deciding on what kind of flexibility/solution(s) that is practical to implement support for in order to cater for most use cases.


Also see what Benjamin Chennelis-Webb just pointed out, that Pluggable Authentication is a prerequisite - https://features.cpanel.net/topic/pluggable-authentication-pluggable-auth

photo
1

I agree that this is URGENTLY needed. I also cannot help the impression that this is studiously ignored, due to unfathomable reasons.


Furthermore, at this point in time, any discussion of the technology used is pointless as long as Cpanel has not expressed its willingness to actually deploy 2-factor. I will gladly accept any 2-factor technology they finally use, while hoping that it is a widely accepted, and easily available technology.

photo
1

It should be noted for those who are complaining about a visible lack of progress that cPanel have indicated that another feature request (Pluggable Authentication) is a prerequisite to 2FA systems. That feature is currently in progress and is aimed for 11.50


https://features.cpanel.net/topic/pluggable-authentication-pluggable-auth

photo
1

I agree that this is URGENTLY needed. I also cannot help the impression that this is studiously ignored, due to unfathomable reasons.


Furthermore, at this point in time, any discussion of the technology used is pointless as long as Cpanel has not expressed its willingness to actually deploy 2-factor. I will gladly accept any 2-factor technology they finally use, while hoping that it is a widely accepted, and easily available technology.

photo
1

Hi


Yubikey is good.

photo
1

Google authenticator is ok but one of its downfalls is if your mobile is ever infected with malware the shared secrets used to generate OTPs can be stolen and an intruder could calculate a valid OTP for your accounts. Once PAM support is implemented it's going to be a game changer, as we'll then be able to use Yubikeys which supports both OTP as well as FIDO U2F.

This conversation is kind of timely for me since I'm expecting the delivery of a Yubikey Neo today :)

https://www.youtube.com/watch?v=CEwPP-h8Tzc

photo
1

Obviously, Google Authenticator is an extra security level, but we cannot stay all time thinking in infected mobiles, infected computers, infected ....., I don´t Know how Yubikey works, it seem secure, but... ¿if computer is infected?, ¿maybe someone could get access to if a Yubikey is connected to the computer?


A second part is that hosting customers the won´t buy a Yubikey for accessing his cPanel, otherwise, Google Authenticator is free for them, and would be the way that they will want use it.

photo
1

Don't get me wrong, I'm not saying the Google Authenticator doesn't provide extra security, it's just that storing your shared secrets on a hardware token's secure element is even safer, (i.e.: not susceptible to be phished). The goal of a secure element is to be a tamper-resistant platform which can store confidential data. For an example, Apple's iPay solution makes use of a secure element to contain sensitive information on the iPhone.

Also, it should be noted this isn't a single-use solution. The Yubikey also can be used to generate OTPs for multiple websites, it isn't dedicated to a single website.


https://www.youtube.com/watch?v=W7if0FW12D0

photo
1

123

photo
1

cPanel could move like WHMCS. WHMCS offers DuoSecurity and Yubikey for example. cPanel could do the same and offer a variety of solutions and let admins, resellers and users select what they like. They could use Yubikey, Google auth, Duosecurity and one other open source preferably solution to balance the list.

photo
1

cPanel could move like WHMCS. WHMCS offers DuoSecurity and Yubikey for example. cPanel could do the same and offer a variety of solutions and let admins, resellers and users select what they like. They could use Yubikey, Google auth, Duosecurity and one other open source preferably solution to balance the list.

photo
1

In reality Google authenticator is based on OATH and Yubikey supports the OATH standard. I'm not advocating for support of the Yubikey at the detriment of supporting people who use Google authenticator, I'm merely pointing out the Yubikey is just like Google authenticator but taking it to the next level. The Yubikey Neo supports:


- FIDO Alliances's U2F

- Verisign's OATH (Google authenticator)

- Yubico OTP (i.e.: any applications specifically designed to work with Yubikeys based on their own standard)

- Static password - you can pre-program a very long (think 30+ chars) password to be replayed.

photo
2

2 years old and not even a statement ..

photo
2

Chiming in on my opinion.


Personally if I choose today I would go with the Google authenticator method. Reason being is the app is free and supports all major smart phones. Most people already have a smart phone to use it on as well. There is no need to carry around a physical token either that could get lost.


YubiKeys are awesome yes but as some have stated, people don't want to spend the money to buy one. I've also had a problem where some computers don't seem to recognize it when plugged in. In fact it won't work for some reason on my home computer yet does on all my other computers (all running the same version of windows)


I have been using the Google authenticator on my Google account and other online accounts that offer if for years now. I also have a YubiKey tied to my Google account when they started offering it. It's nice that I can choose which to use when I log into my Google account.


I know for a fact that the Google authenticator is VERY easy to integrate. I've done it on some of my own personal web sites for testing. Took me maybe 15 minutes to do. I have since added it to my companies account management login systems.


P.S. Why not add support for both and just let the end user choose what they want to use?

photo
1

*sigh* It's not an "either, or" situation. If you knew a little something about Yubikeys you would know that...

photo
1

The Joomla content management system supports both Yubikey and Google Authenticator simultaneously, so I imagine you could do the same for WHM/cPanel.

photo
1

@Krealic: Bingo!

photo
1

@phatrik: Sorry guess I'm no expert on YubiKeys. All I know is I have the Neo and I have programmed slot 1 and 2 to my on personal needs. I also use the FIDO U2F security key for my Google account as a secondary method to my normal Google Auth app.

photo
1

Different standards and lots of acronyms. Google Authenticator is compatible with OATH (Initiative for Open Authenticator), a standard which defines the generation of OTP (One Time Password) passwords (sometimes referred to as tokens). FIDO U2F (Universal 2nd Factor) is a type 2FA (2nd Factor Authentication) however isn't what's referred to as OTP and instead relies on public-key crypto (think about an SSL certificate you install on a web server, minus the certificate authority). U2F is great (I'd even say better than OTPs, IMO) however unfortunately isn't widely supported yet. Bummer. Check out the following page for a list of sites which support OATH OTP and U2F (only Google so far):


http://www.dongleauth.info/


I also have a Yubikey Neo. Right now the first slot was left to the default configuration, which is to generate a Yubikey OTP and my 2nd slot is configured for a static password. Whenever I login to Google I use an OATH OTP which I get from a program really similar to Google Authenticator except that before the OTP appears on the screen I need to swipe my Yubikey near the NFC sensor behind my phone. See:


https://www.youtube.com/watch?v=W7if0FW12D0


The shared secret needed to generate the OTP (i.e.: the static value plugged in the math formula) is stored on a secure element on the Yubikey and the OTP can't be generated without the swipe.


Back to the subject at hand: In the end, all that really matters is that PAM authentication is integrated into cPanel/WHM (as opposed to a non-standard solution). The rest is ezpz.


Hope this helps clear things out. In my original post over a week ago, I never advocated for Yubikey support over Google Authenticator (in fact, in my 2nd post, I clarified they both follow the same OATH standard), all I was saying is while Google Authenticator adds some layer of security to the whole process, using a Yubikey is (undeniably) more secure. Let's hope PAM (Linux Pluggable Authentication Modules) is what's integrated into cPanel so we can decide for ourselves what we prefer.


Cheers

photo
1

Well stated and factual - however I would point out that while all of the methods above are better than a simple password file in cPanel we still have not addressed the elephant in the room. Most of the cPanel hacks have bypassed the PAM module and thus circumvented the entire Authentication process.


We need to develop a method that relies on a trusted element outside of cPanel for full authentication, and while multi-factor methods are a great start they only prevent amature hacks or sholder surfers from access.

photo
1

Well stated and factual - however I would point out that while all of the methods above are better than a simple password file in cPanel we still have not addressed the elephant in the room. Most of the cPanel hacks have bypassed the PAM module and thus circumvented the entire Authentication process.

We need to develop a method that relies on a trusted element outside of cPanel for full authentication, and while multi-factor methods are a great start they only prevent amature hacks or shoulder surfers from access.


Good reference -- http://securityintelligence.com/how-to-bypass-two-factor-authentication-2fa-and-what-the-future-holds/#.VYQF3vlVjkX

photo
1

Team cPanel........ consider about this

photo
2

It's a must... definitely! Is there any update on this idea that has 2 years old already?

photo
1

2 years!? I realise that there are other things I can do to restrict access to WHM, but TFA is such a simple solution, and it would be awesome to be able to offer this to customers too. Please consider this, for about 3 minutes, and then get coding :-)

photo
2

2 years!? I realise that there are other things I can do to restrict access to WHM, but TFA is such a simple solution, and it would be awesome to be able to offer this to customers too. Please consider this, for about 3 minutes, and then get coding :-)

photo
1

Any idea on whether this is feasible guys?

photo
1

Personally I'm pretty sure it's feasible. I've added the open source Google auth to my company sites in about 30 minute time. Sure Cpanel will take more time, I understand that.


I've been using Cpanel for about 5 some years now. If I have learned anything from this, it's that Cpanel takes a LONG time to accept anything new (if they do) and then another 1-2 years to implement it.


I will still keep using Cpanel because it's the best choice for cost when it comes to a small hosting company. I have no gripes about it other than the over all system lacking key security features.

photo
1

Sounds like a joke that you can safeguard you wordpress or joomla instance with 2-factor authentication and still, the applications that you pay serious money for cannot get this done? wow... how lame is that....

photo
1

Totaly agree with you @Joe Doe.


PS. Even DirectAdmin has implanted Two-factor Authentication in the last build

photo
1

2FA! +1

photo
1

I honestly CANNOT believe that cPanel hasn't incorporated this in to their software! cPanel is a worldwide platform. so many other small companies are using it. even Joomla which is open source!!!! Come on man!! pull your socks up now!

photo
1

GOod point, I like your article and will be back soon, .

photo
1

PLEASE AND THANK YOU. I truly need this feature.

photo
1

I agree,

I use 2 factor authentication for everything, including my Gmail, and Hotmail accounts.


I honestly don't understand how cPanel havent included this, especially given that sites can get hacked etc.

photo
1

I agree,

I use 2 factor authentication for everything, including my Gmail, and Hotmail accounts.


I honestly don't understand how cPanel havent included this, especially given that sites can get hacked etc.

photo
1

Since the last 5 years I see 80% more cPHulk attacks in the log file. Primary from China and Russia.


I have 3 times a break-ins in the last 6 months. Hackers has send SPAM over two user email accounts and the cPanel support cannot help me to locate the break-ins!!


With so a security relevant thing, like a server administration software is a two factor authentification a "must have"!


It is time, that cPanel build in a two factor authentification with a USB dongle or with "Google Authenticator" over a mobile phone.


In Joomla, Gmail, Facebook, Yahoo & co. and the biggest banks is two two factor authentification already included.


https://blog.sucuri.net/2013/09/big-increase-in-distributed-brute-force-attacks-against-joomla-websites.html


https://www.mattcutts.com/blog/google-two-step-authentication/


Please build in the feature.

photo
1

Moderator: using our feature request site to promote your own product(s) is not allowed.

photo
1

Great news that this is now planned. After a few years of cPanel seeming to be slow adding new features requested on here, it now seems that you are accepting and adding a lot more just recently - thanks !

photo
1

Its about time they set it to planned! Thank you

photo
1

Great news that this is now planned. After a few years of cPanel seeming to be slow adding new features requested on here, it now seems that you are accepting and adding a lot more just recently - thanks !

photo
1

Fantastic news. Whats is the estimated time of production?

Thanks

photo
1

FANTASTIC NEWS

Thanks

photo
1

Which Implementation of 2FA ? There are many. It will be also available for other services like ssh?

photo
1

Unlikely. You can implement 2FA on your own for SSH. I personally wouldn't trust cpanel with that.

photo
1

SSH already has built-in support for 2 factor authentication. Disable password logins, and require pass phrase protected keys. That's something you have (the private key file) and something you know (the pass phase), giving you 2 factors for authentication.

photo
1

Kenneth, that's still single factor. Leave passwords and enable public key. That's true 2FA.

photo
1

All this talk about SSH. The 2FA we're talking about here is WHM and user Cpanel web page logins.

photo
1

@daniel hawton: please read again what I wrote; I described two factor authentication using SSH.


@rezman and Christos: while over the course of time we want to extend 2 factor authentication to as many services as possible, our main emphasis right now is on cPanel, WHM, and webmail.

photo
1

@Kenneth, please read what I wrote. Your pass phrase for your local key is NOT 2FA. That's just a password to unlock your private key. 2FA in SSHd is something like: RequiredAuthentications2 publickey,password in /etc/sshd_config. You said to disable password logins and require phrase protected keys. That is a single factor authentication as far as the server is concerned. Your pass phrase only affects your private key. Use BOTH publickey and a password for 2FA, hence the "2" in 2 factor.

photo
1

@christos We will be implementing 2FA for cPanel, WHM, and Webmail. We might be able to do this in the future for other services, but our first implementation will the interfaces controlled by cpsrvd.

photo
1

@daniel hawton: thanks for the clarification.

photo
1

Hi guys,


Any movement on this?


I would love 2 factor (google) authentication for WHM login.


Kind regards,

Anthony

photo
1

Hi guys,


Any movement on this?


I would love 2 factor (google) authentication for WHM login.


Kind regards,

Anthony

photo
1

For Google Authenticator, it's planned for cPanel v54 :


http://blog.cpanel.com/whats-next-for-cpanel-whm/


For hardware based solutions they haven't given an ETA yet.

photo
3

Hello eveyone,


I wanted to show off a bit of our development version of Two Factor Auth. Please note this is a work in progress and may not be actually reflect the end product.

https://www.youtube.com/watch?v=bef6BRAq4IU&feature=youtu.be

Note: I use the same passcode twice because it was less than 30 seconds from when I entered it twice.

photo
1

Looking good!

photo
1

ETA 2016? BTW Good Job

photo
1

Hello, looks like you have forgotten to allow users to add multiple devices to the same account. If this is not possible it will be useless for corporate users.


Also, would it be possible to put the message in another color than red that requests the 2fa code ? Most users are used to getting a red message when their IP changes or they change browser window, so to avoid confustion I suggest another color than red…

photo
1

The short term solution would be to screenshot your QR code or secret key. The long term user would be the creation of cPanel sub users that would have their own account to setup with Two Factor.


We will be changing the banner to something less alarming like blue or green.

photo
1

Hello, just wanted to say that multiple sub users won't do the job, each user will need to be able to have multiple yubikey's when/if yubikey is implemented.


For google authenticator it's not a problem as it's not rearly a coorporate solution. I just hope that you will implement yubikey auth and that it will allow multiple keys per user unlike the Google auth implementation.

photo
1

Hmmm..... I guess I'm right in thinking this type of 2factor authentication won't stop FTP logins with a cpanel username/password eh?

photo
1

No because ftp is something else, its not possible to apply 2fa to ftp.

photo
1

Really, you should disable standard FTP access and use only SFTP. With SFTP you can then use SSH keys as an added security measure.

photo
1

In case of whm login, 2FA will definitely help.

But the most effective measure is to properly configure your cphulk. that will help you a lot with unwanted ftp logins.

photo
1

They could make it where it's a option to require the 2FA for FTP, and you just have to add the token to the end of the password, or introduce application specific (one time) passwords.

photo
1

NO! NO! Its not possible(not impossible) to implement 2FA to FTP, as no FTP client has an option to enter 2FA code, Period.


SFTP works great.

photo
1

For services, and clients, that do not support 2FA, the common pattern is to require a special password. I believe Google calls this an "application password.'


As Travis stated in an earlier comment we are primarily focused on protecting the web interfaces (WHM, cPanel, Webmail) with our initial offering.

photo
1

You can deploy Duo Unix to cover everything from su, sudo, to ftpd, etc. See http://man.cx/pam_unix(5) and https://www.duosecurity.com/docs/duounix.


Not sue why but cPanel would have adopted Duo Security just like Facebook and others did and make this easier.

photo
1

You can deploy Duo Unix to cover everything from su, sudo, to ftpd, etc.


See http://man.cx/pam_unix(5) and https://www.duosecurity.com/docs/duounix.


Not sure why but cPanel would have adopted and customize Duo Security just like Facebook and others did and make this easier.

photo
1

@Travis that is awesome, is there any plan for Duo integration, as @Sawami pointed out, this is currently in use to cover a variety of services especially SSH... so it would be ideal for us not to have to use two different solutions for those of us already employing enterprise two factor (Duo) by having clients have to use Duo and Google Auth as well.

photo
1

excellent - is there an ETA?

photo
1

Duo is a proprietary service. The strategic choice for cPanel is to

support open standards such as TOTP etc., which indirectly then can be

used with any choice of services that support such open standards, be it

Yubikey or DuoSecurity (or both in conjunction). That way we can all

choose which solution(s) we want to use in our end.


A side note: even if cPanel comes relatively late to the game in this "two-factor" realm, 2FA is just the "beginning"... We are not going to have sufficient security for all servers/situations with only 2 factors, so this is really fundamentally a shift to "MULTI-factor" (i.e. "minimum 2 factors"), which means that the initial support for TOTP will pretty soon have to be extended to also support U2F, Challenge-Response, etc. to work together in 3 factor scenarios too.


The automation potential of Challenge-Response is a good example why the implementation should be prepared to "plug in" support for more such standards to the mix already from the start.

photo
1

Hm, the "post comment button" here is having issues, resulting in various people double-posting, mistaking the re-appearance of the comment in the comment area to mean it did not get posted. Bug, I suppose.


Another relevant article:

https://blog.flameeyes.eu/2014/10/why-is-u2f-better-than-otp

photo
1

I would like to see this feature avaiable, since it's improtant for security now days.

photo
1

Where is this feature? How we can use it? It will be included in next update?

photo
2

This feature will be in cPanel & WHM version 54 which should head to CURRENT later today.

photo
1

Great news. Thanks.

photo
1

I read in the change log it has been hidden by default. I have 54 installed build 4, and cannot find the option to enable it anywhere.

photo
1

I read in the change log it has been hidden by default. I have 54 installed build 4, and cannot find the option to enable it anywhere.

photo
1

@dhawton


You can unhide this by running the following commands:


touch /var/cpanel/enable_twofactor_ui

/usr/local/cpanel/whostmgr/docroot/themes/x/rebuildtmpl

photo
1

This is the blog post that will go up soon:


cPanel & WHM version 54 introduces the new Two Factor Authentication features for the cPanel and WHM interfaces.


This feature is one of the most highly requested features on features.cpanel.net. We at cPanel worked hard to bring this in cPanel & WHM version 54. When the new feature hit the EDGE release tier, some of our third-party integrators grew concerned about the changes made to the API system.


We decided to extend our Two Factor Authentication system to the API to help increase the overall security of your account and prevent a loophole that would essentially bypass Two Factor Authentication.


This complicates the API calls our third-party integrators use to manage resources that cPanel & WHM control. This would cause many third-party applications to outright break for accounts with Two Factor Authentication enabled.


To help mitigate this breakage and give our integrators time to update their applications we have hidden access to the interface in the WHM User Interface. Root administrators can enable the UI by creating a touch file through the command line.


To enable the Two Factor Authentication UI on your system, enter the following command:


touch /var/cpanel/enable_twofactor_ui && /usr/local/cpanel/whostmgr/docroot/themes/x/rebuildtmpl


**This may cause some third-party applications to break significantly and cause applications to improperly store data**


If you are running a stock cPanel & WHM system with no third-party applications or API customizations, you can enable Two Factor Authentication with no worries.


Webhosts and third-party developers should take some time to test their applications with Two Factor Authentication. Examples of how to do API calls with Two Factor Authentication(link to sdk.cpanel.net).

photo
3

Listed as completed now!! I wonder if it's a next-version enhancement like nginx. Going to be one big upgrade, 11.54...

photo
3

This feature is live now.

We are using on our servers.

It's great!

But another subfeature is needed.


Can you add recovery key feature for 2factor disabling or temporary login?

When we lost phone, what will we do?

photo
1

Now that's an interesting question. I'm wondering how cPanel will deal with those scenarios.