cPanel & WHM Version 88 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Webmail 2FA

Mike A shared this idea 4 years ago
Open Discussion

As we know cPanel has Two-Factor Authentication now, however the Webmail login and accounts don't. I've never seen this done but surely this isn't impossible. This would be good to secure accounts via Webmail login for things that are used for financial institutions, etc.

Comments (11)

photo
1

Doesn't POP/IMAP/SMTP also use the same passwords as webmail? That would mean users would need to enter an OTP (where exactly?) every time they try to send/read mail using other email clients which have no concept of 2FA. Or am I understanding your concept wrong?

photo
1

If we added 2FA to the Webmail interface we would be taking mail applications (especially across so many devices) into consideration when implementing the feature. I can think of a couple other providers have around it, but ultimately it would be up to the feature team that implements the change to decide how we go about it.

photo
1

Hi Benny, Anything new? I think it's important to have a second barrier to massive login attacks on email accounts. :)

photo
1

No updates yet, but if there is we'll definitely let everyone know here. :)

photo
1

Hi Benny, any news about this? Now more than ever is necessary to have protected emails and data. There's a plugin for Roundcube for Yubico's Key but I haven't time to test it yet.


A more centralized option for an email account and not the webmail app seems for me the right choice. A list for authorized devices will be the perfect companion. Like gmail and owncloud/ nextcloud works. That way anyone can generate strong password for unique device, and force webmail apps behind a u2f.

photo
1

No new yet, unfortunately. Like always, if there's any movement I'll be back to let everyone know!

photo
1

Hi, any news yet? Many users have problems with the filters added in webmail using stolen email login data... and it's not a new problem: https://forums.cpanel.net/threads/how-do-you-disable-users-webmail-email-filter.146857/

photo
1

We do hope to add support for 2fa for webmail in the future, but do not have an update at this time.

photo
photo
1

How about using something like Google's reCaptcha API

photo
1

Hello, A Captcha (as Google's reCaptcha API) is more against brute force attacks, but is not a 2FA. As a service provider I would prefer a GAFA-free solution, especially when we offer email services. But the fact that the GAFA *have* 2FA is an argument that move away clients from our services to the GAFA-service :-( ....

photo
photo
3

It is very much needed feature for webmail, it will defenetly reduce attacks on the server

photo
3

Google does ist by using App Passwords, that are assigned to specific programs like Thunderbird, Outlook, etc.


https://support.google.com/mail/answer/185833?hl=en&visit_id=636828031466693350-3030637748&rd=1

An App password is a 16-digit passcode that gives an app or device permission to access your Google Account. If you use 2-Step-Verification and are seeing a “password incorrect” error when trying to access your Google Account, an App password may solve the problem. Most of the time, you’ll only have to enter an App password once per app or device, so don’t worry about memorizing it.

I think, this is a very good solution. And we really do need 2-Factor-Authentication for webmail!

photo
4

We can have 2FA on webmail for another reason. Someone can access Forwarders and Filters and intercept communications. We've seen happening it a lot of times. We clean up 10+ forwarders from users around cPanel servers every month. We could ask those high risk users to use 2FA only for webmail and cPanel. They can use normal login for e-mail clients like Outlook or Thunderbird but we can somehow secure the Filters and Forwarders of the accounts with this.

photo
2

How is it that 2FA hasn't been able to be addressed at the webmail level but exists at every other web interface (WHM/cPanel)?


2FA is something that is easily implementable via roundcubemail. I've had this implemented on one of my servers for years and it hasn't interfered with POP/IMAP/SMTP access. The added verification is only implemented at the webmail level.

https://plugins.roundcube.net/packages/alexandregz/twofactor_gauthenticator

photo
1

If you do it just for webmail, someone that obtains unauthorized access to the password will just use IMAP instead. To be fully effective, you also need app-specific passwords for POP/IMAP/SMTP, or email clients that support two-factor auth.

photo
1

I'll flip the position as I'm not suggesting 2FA is warranted everywhere (tho that would, as you said, be fully effective).

The reason for 2FA for webmail is because it is a web based application and poses a more significant threat vector than IMAP, POP3 or SMTP. The webmail feature has a cpanel wrapper is its own attack vector. Horde is another and Roundcubemail is a third. Each of those systems need to be maintained so as to not expose vulnerabilities.

2FA in front of webmail affords you time between 0-day and cPanel fix.


BTW - I'm not suggesting that IMAP/POP/SMTP aren't threat vectors and I'm not suggesting that they are not exploitable (looking at you EXIM vulnerability :D)

photo
photo
1

This is a must! There are many things to protect in webmail, like filters, redirects etc..

photo
1

In roundcube there can be plugins.

I see there is a (recent) plugin for

mmvi/twofactor_webauthn

https://packagist.org/packages/mmvi/twofactor_webauthn

Installing plugins in RoundCube don't seems to be very difficult as it is done via composer

https://packagist.org/packages/mmvi/twofactor_webauthn

Is there a problem if we install such (or other) plugin on CPANEL roundcube.

OK, I suppose it will be overwritten when CPANEL apply updates, but there must be a post-update hook, that could trigger a re-install script for the plugins.

Or do I oversee some problems ?

Best regards, Marc

photo
1

Any updates?

photo
1

We don't have any updates at this time.

photo
photo
1

Any update? More and more clients have problems, some getting scammed and have tens of thousand euro in loses. It's nearly inacceptable to not have 2FA on a critical system like the webmail and not even the possibility to block access to forwarders and filters from that interface... This is a HUGE problem!