cPanel & WHM Version 94 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Webmail 2FA

Mike A shared this idea 4 years ago
Open Discussion

As we know cPanel has Two-Factor Authentication now, however the Webmail login and accounts don't. I've never seen this done but surely this isn't impossible. This would be good to secure accounts via Webmail login for things that are used for financial institutions, etc.

Comments (15)

photo
1

Doesn't POP/IMAP/SMTP also use the same passwords as webmail? That would mean users would need to enter an OTP (where exactly?) every time they try to send/read mail using other email clients which have no concept of 2FA. Or am I understanding your concept wrong?

photo
1

If we added 2FA to the Webmail interface we would be taking mail applications (especially across so many devices) into consideration when implementing the feature. I can think of a couple other providers have around it, but ultimately it would be up to the feature team that implements the change to decide how we go about it.

photo
1

Hi Benny, Anything new? I think it's important to have a second barrier to massive login attacks on email accounts. :)

photo
1

No updates yet, but if there is we'll definitely let everyone know here. :)

photo
1

Hi Benny, any news about this? Now more than ever is necessary to have protected emails and data. There's a plugin for Roundcube for Yubico's Key but I haven't time to test it yet.


A more centralized option for an email account and not the webmail app seems for me the right choice. A list for authorized devices will be the perfect companion. Like gmail and owncloud/ nextcloud works. That way anyone can generate strong password for unique device, and force webmail apps behind a u2f.

photo
1

No new yet, unfortunately. Like always, if there's any movement I'll be back to let everyone know!

photo
1

Hi, any news yet? Many users have problems with the filters added in webmail using stolen email login data... and it's not a new problem: https://forums.cpanel.net/threads/how-do-you-disable-users-webmail-email-filter.146857/

photo
1

We do hope to add support for 2fa for webmail in the future, but do not have an update at this time.

photo
photo
1

How about using something like Google's reCaptcha API

photo
2

Hello, A Captcha (as Google's reCaptcha API) is more against brute force attacks, but is not a 2FA. As a service provider I would prefer a GAFA-free solution, especially when we offer email services. But the fact that the GAFA *have* 2FA is an argument that move away clients from our services to the GAFA-service :-( ....

photo
photo
3

It is very much needed feature for webmail, it will defenetly reduce attacks on the server

photo
3

Google does ist by using App Passwords, that are assigned to specific programs like Thunderbird, Outlook, etc.


https://support.google.com/mail/answer/185833?hl=en&visit_id=636828031466693350-3030637748&rd=1

An App password is a 16-digit passcode that gives an app or device permission to access your Google Account. If you use 2-Step-Verification and are seeing a “password incorrect” error when trying to access your Google Account, an App password may solve the problem. Most of the time, you’ll only have to enter an App password once per app or device, so don’t worry about memorizing it.

I think, this is a very good solution. And we really do need 2-Factor-Authentication for webmail!

photo
4

We can have 2FA on webmail for another reason. Someone can access Forwarders and Filters and intercept communications. We've seen happening it a lot of times. We clean up 10+ forwarders from users around cPanel servers every month. We could ask those high risk users to use 2FA only for webmail and cPanel. They can use normal login for e-mail clients like Outlook or Thunderbird but we can somehow secure the Filters and Forwarders of the accounts with this.

photo
2

How is it that 2FA hasn't been able to be addressed at the webmail level but exists at every other web interface (WHM/cPanel)?


2FA is something that is easily implementable via roundcubemail. I've had this implemented on one of my servers for years and it hasn't interfered with POP/IMAP/SMTP access. The added verification is only implemented at the webmail level.

https://plugins.roundcube.net/packages/alexandregz/twofactor_gauthenticator

photo
1

If you do it just for webmail, someone that obtains unauthorized access to the password will just use IMAP instead. To be fully effective, you also need app-specific passwords for POP/IMAP/SMTP, or email clients that support two-factor auth.

photo
1

I'll flip the position as I'm not suggesting 2FA is warranted everywhere (tho that would, as you said, be fully effective).

The reason for 2FA for webmail is because it is a web based application and poses a more significant threat vector than IMAP, POP3 or SMTP. The webmail feature has a cpanel wrapper is its own attack vector. Horde is another and Roundcubemail is a third. Each of those systems need to be maintained so as to not expose vulnerabilities.

2FA in front of webmail affords you time between 0-day and cPanel fix.


BTW - I'm not suggesting that IMAP/POP/SMTP aren't threat vectors and I'm not suggesting that they are not exploitable (looking at you EXIM vulnerability :D)

photo
photo
1

This is a must! There are many things to protect in webmail, like filters, redirects etc..

photo
1

In roundcube there can be plugins.

I see there is a (recent) plugin for

mmvi/twofactor_webauthn

https://packagist.org/packages/mmvi/twofactor_webauthn

Installing plugins in RoundCube don't seems to be very difficult as it is done via composer

https://packagist.org/packages/mmvi/twofactor_webauthn

Is there a problem if we install such (or other) plugin on CPANEL roundcube.

OK, I suppose it will be overwritten when CPANEL apply updates, but there must be a post-update hook, that could trigger a re-install script for the plugins.

Or do I oversee some problems ?

Best regards, Marc

photo
1

Any updates?

photo
1

We don't have any updates at this time.

photo
1

@cpaneltabby that sounds more like "look how we don't care about your client's security"... Hope you realize that... It's been 4 years of cleaning filters added via webmail from hacked account...

photo
2

Lordache Catalin I would suggest you please do some research on what 2FA actually is, how commonly it is deployed badly and the various logistical overheads of correctly and safely deploying 2FA to a willing customer base.


If you (or your customers) are that concerned about email security then I would suggest that you employ PGP Encrypted emails and/or simply don't use emails for secured communication. Email by its very design is NOT secure (Despite the number of organisations that pretend that it is).


Thank you.

photo
photo
3

Any update? More and more clients have problems, some getting scammed and have tens of thousand euro in loses. It's nearly inacceptable to not have 2FA on a critical system like the webmail and not even the possibility to block access to forwarders and filters from that interface... This is a HUGE problem!

photo
1

A little background:

It needs to be noted that despite the popularity of typical mobile phone SMS 2FAs (used by social media and banks etc.) that this is NOT TRUE TWO FACTOR AUTHENTICATION and only gives an illusion of security to an ignorant public.


For Webmail to have PROPER 2FA then they would need a set of unique changing random codes that are generated on a remote device given to the webmail user (typically unique key cards). This is something that is FAR BEYOND what any free webmail provider can realistically provide and is far out of scope of email security (it would be better to implement PGP Mail into email which is far easier to deploy).


2FA using SMS messages is deeply unsafe and worryingly common. SMS can be easily intercepted by a 3rd party as they are completely insecured and most people accessing their webmail are already doing so from a mobile device.


2FA can be pseudo-done (as WHM have already) with 3rd party apps that provide a code with a time based expiry, but this is still not quite true 2FA because the app is on the mobile device so would not be 2FA if the webmail (or WHM) is accessed from that same device.


Securing connection to emails done but using the common 2FA methods (apps/SMS) is not the way to do it, using something like SSH keys or 3rd party key cards is a better approach but then comes to some serious shortfalls that it requires some technical knowledge from the end user as well as logistical overheads and also limits access by any parent account holder (such as WHM root user accessing a CPanel email account).

photo
1

While Authenticator apps aren’t the most secure 2FA, they are by far the most secure, simple, method of implementing 2FA. If your phone is unlocked and stolen, you pretty much have access to the mail without needing to log back in (if they use the OS mail application).

They do however satisfy the 3rd factor in securing access (who you are - username, something you know - password, something you have - 2FA code generated by the app on your phone). I don’t think anyone expects our customers to purchase Yubi Keys, so this is an acceptable compromise. In any case, as it stands, there is no 2FA, which is NOT industry best practice.

As mentioned, SMS messages do not constitute a secure 2nd factor. Additionally, sending an email code is useless because it’s the very email they are trying to access.


One additional feature cPanel could add is a recovery email address that doesn’t resolve to the mail server, but even there, if that got compromised...

photo
photo
1

This really shouldn't be hard to implement....when someone tries to access imap, smtp, webmail, or anything that connects to the email server, if they are not already authenticated for that device/session then a text is sent to their phone (or an app for their phone can open) asking them if they authorized the access. They respond yes and then the system allows traffic to that device to either that session or a period of time. Then it doesn't matter if the computer has a program like outlook, or if the customer is connecting with a webmail client..or which webmail client.

photo
1

Please NO! SMS is not secure. Industry best practice is to NOT send any SMS codes. Email to a backup address is better than SMS, but not by much.

photo
photo
1

I'd like to point out that "Do all your employees require two-factor authentication to access their email?" is now turning up in external security audits. We had a client who required it of us in order to supply services. No amount of arguing that it's less secure or invalid is going to beat a standardised ISO/PCI/SSAE/ISAE/SOC (whatever takes your fancy) security assessment.

photo
1

Roundcube has 2FA plugins, IMHO it would be a good "first step" to enable the 2FA for just RC.

Leave a Comment
 
Attach a file