cPanel & WHM Version 98 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

U2F as additional 2 Factor Authentication method

Cas Eliëns shared this idea 5 years ago
Open Discussion

It's great that 2FA has been implemented in cPanel version 54. Unfortunately typing over codes is a pain (especially if you first need to find the correct code between the load of other codes I have).


I'd like to suggest an alternative 2FA method: U2F. This is a universal standard adopted by companies like Google, GitHub and Dropbox to provide a faster and more secure 2 factor login experience.


Here's an article explaining the difference between standard 2FA and U2F way better than I ever could: https://blog.flameeyes.eu/2014/10/why-is-u2f-better-than-otp


And on top of being safer, it also looks cool to have to press some shiny button and be magically logged in!

Replies (11)

photo
1

Just so you know, if you use a Yubikey Neo, you that to generate TOTPs just like Google Authenticator (or any TOTP application) does. Simply download the Yubico Authenticator app and use that, works exactly the same as google's authenticator. At least the mac version even scans QR codes on your screen in case the secret is not visible.


Although I like Yubikey 2Fa as an option, just like all the other 2FA options should be available.

photo
3

I think this is a good idea. Yubikey's have two modes and some either one or the other. I would like to have both yubikey and U2F.

photo
1

Chrome is one of the most used browsers. Firefox hasn't been keeping up with fixing their security reports so unless you are on mac and use safari you don't have much choice.


I don't use u2f but u2f is being worked on by Microsoft for their next OS and lots of people are pushing to get it in Firefox.


I want u2f 2FA as well as Yubikey 2FA. Once 2FA has made it to all browsers I will probably order some 2FA compatible Yubikeys to replace existing standard versions

photo
2

I believe that U2F will become adopted faster if more services implement it. Firefox won't bother putting it in their browser if nobody uses it.


cPanel could be among the early adopters of the technology!

photo
1

It's a bad idea to implement U2F too, its far easier and acceptable by the most users. But for me is not currently main adopted and requires some hardware implementation to be used. So is in my opinion this isn't far away to bee priory request feature.

photo
1

U2F is now in Firefox, but not enabled by default. https://support.yubico.com/support/solutions/articles/15000017511-enabling-u2f-support-in-mozilla-firefox

Microsoft Edge, meanwhile, now supports FIDO2 as of August 2018. https://blogs.windows.com/msedgedev/2018/07/30/introducing-web-authentication-microsoft-edge/#AGxO48gsRzCgGHfc.97

And Windows Hello supports it via an external application.

photo
2

Please add this.


It really shouldn't have any internal changes stopping this, and it should not involve changing the current API because you should be able to extend the current auth with how you've added the OTP by just adding another adapter.


This has moved on a lot since this feature request was created three years ago and now nearly all the latest browsers have integrated either U2F (predecessor) and/or WebAuthn (successor). The only browser that still has this feature under a flag is Safari in beta versions, and they are integrating this with both macOS and iOS.

I've been leading the development of U2F/Fido2/WebAuthn internally for all our applications, and we use it for everything internally. Currently, we have to use a custom SSO around software/services that don't have this, which acts as an authentication gateway, which is out of reach for most people and not ideal for clients with a few servers.

The new standard is Web Authentication also known as WebAuthn,


Useful links



Demos and source code

Mozilla Demo website and its source code.

Google Demo website and its source code.

webauthn.org and its client source code and server source code.

photo
1

Normally the Feature for an Login via YubiKey have to be a standard in such a software like cPanel it offers.

photo
1

For our company, we use YubiKeys as a second and sometimes third authentication method for almost all our stuff. We have sensitive information on certain machines and if people where to gain access and obtain some of these files, it would ruin us. So currently, we store the files on a local server without internet. With the software we need to create and modify these files though, we require internet. I really want to move these files to our VPS, which runs cPanel, so certain employees do not have to physically come here to work every day. I love cPanel, but right now, I feel that is a security weakness and having support for YubiKeys would be excellent.


Please keep me updated if there are any plans to implement this or not. Our DNS registrar account was already hacked and something like YubiKey support would have prevented that attack I believe.


Thanks!!!!!

photo
1

Must have feature!

photo
1

I normally prefer the standard MFA since I can lose Yubikey, but I manage 10 cPanel servers (and increasing) and I sometimes need to access all 10 at a time to check if a reboot is needed (for example). Repeating 10 times the same lookup for the MFA code is reeaally tedious, so being able to just tap my Yubikey would be great!

Leave a Comment
 
Attach a file