2FA short codes -- what happens if the 2FA device is damaged lost or compromised?
When using 2FA on Root access Login, the 2FA system is an app on a mobile device that needs to be employed to generate the code.
This is fine, it's not quite true 2FA but it's close enough.
However, if for instance the mobile device is smashed, or is stolen, or is lost, this can potentially mean that access to the WHM root account is then impossible.
Dropbox, to their credit do employ a 2FA system which uses the same app, but which also employs showing the account holder 5-10 unique codes that each give a single short term access [to the Dropbox account].
Can WHM/CPanel add this ability to the current WHM 2FA system so that if a mobile device is lost or stolen that for a set number of instances (for example; 5) the user can still access the WHM root login (ie five seperate unique 2FA codes, each permitting log in for 1 hour only, for instance).
This can be a minor security risk, because these unique codes couldn't be time dependant; but they would only be single use codes and generated only at the time the 2FA is turned on and then shown to the user for them to store in an appropriate manner.
These shortcodes would replace the 2FA mechanism only, and would not replace the need for password, SSH Key or similar other usual authentication mechanism, but would be a literal life saver if a mobile device is lost or damaged.
- Does CPanel have a current mechanism for handling these events? For example CPanel can access a server based from a support request, can they access the server once the user is authenticated by them, to disable the 2FA ?
-
I don't understand how it's not 2FA? By definition it is. If you haven't enabled 2FA for the API, you can remove 2FA for the root user using that: Remove 2FA settings You can also disable 2FA entirely on the server: 0 -
I did see the feature request come in and got that approved, and I'll add it to the agenda for today! 0 -
I did see the feature request come in and got that approved, and I'll add it to the agenda for today!
Thanks @cPRex. To be fair, @DennisMidjord does raise a good bit of documentation about disabling the 2FA from the command line, which I was not aware of and hopefully this would be a suitable workaround should this event occur. Thanks!0
Please sign in to leave a comment.
Comments
3 comments