Difference between revisions of "Two-Factor Authentication"

From WHMCS Documentation

(Why do you need it?)
 
(33 intermediate revisions by 10 users not shown)
Line 1: Line 1:
==What is Two-Factor Authentication?==
+
Two-Factor Authentication adds a layer of security by adding a second step to the login process. It takes something you know (for example, your password) and adds a second factor, typically from something you have (such as your phone). Requiring both to log in decreases the threat of a leaked password.
  
Two-factor authentication adds an additional layer of security by introducing a second step to your login. It takes something you know (i.e.: your password), and adds a second factor, typically something you physically have (such as your phone). Since both are required to log in, in the event an attacker obtains your password two-factor authentication would stop them for accessing your account.
+
You can access this feature at '''Configuration (<i class="fa fa-wrench" aria-hidden="true"></i>) > System Settings > Two-Factor Authentication''' or, prior to WHMCS 8.0, '''Setup > Staff Management > Two-Factor Authentication'''.
  
===Why do you need it?===
+
WHMCS includes three Two-Factor Authentication services.
 +
 +
===Time-Based Tokens===
 +
 +
With Time-Based Tokens, you enter a 6-digit code that regenerates every 30 seconds in addition to your regular username and password. Only your token device (typically a mobile smartphone app) will have your secret key and be able to generate valid one-time passwords for your account.
  
Passwords are increasingly easy to compromise. They can often be guessed or leaked, they usually don’t change very often, and despite advice otherwise, many of us have favorite passwords that we use for more than one thing. So Two-factor authentication gives you additional security because your password alone no longer allows access to your account.
+
We recommend enabling Time-Based Tokens, and WHMCS enables this by default.
How does it work?
+
 +
===DuoSecurity===
 +
 
 +
With DuoSecurity, the system will prompt you for a phone number. It will then prompt you to verify your identity using a push notification on your mobile device.
 +
 +
<div class="docs-alert-info">
 +
* Duo has announced that support for the previous iframe-based Duo Prompt will [https://duo.com/docs/universal-prompt-update-guide end on March 30, 2024]. Duo Security will '''not''' function in WHMCS 8.8 and earlier after this date.
 +
* After you upgrade to WHMCS 8.9 or later, we recommend activating [https://guide.duo.com/universal-prompt Duo Universal Prompt] in your Duo customer portal to ensure continued functionality.
 +
</div>
 +
 +
For more information, see [[Duo Security]].
 +
 +
===YubiKey===
 +
 +
YubiKey creates a one-time password in a USB drive that acts as a keyboard to your computer. These are physical devices that you must purchase [https://www.yubico.com/ from Yubico directly].
 +
 +
==Enabling Two-Factor Authentication==
 +
 +
[[File:2FA_006.png|thumb|Time Based Tokens Configuration]]
 +
 +
To enable Two-Factor Authentication, follow the steps below:
  
There are many different options available, and in WHMCS we support more than one so you have the choice. Here's a breif overview of the different types:
+
# Click '''Activate''' under the service that you would like to enable.
 +
# Select one or both of '''Enable for use by Clients''' and '''Enable for use by Administrative Users'''.
 +
# If applicable, configure any additional '''Configuration Settings'''.
 +
# Click '''Save'''.
 +
 +
You can repeat these steps for each service that you want to enable.
 +
 +
[[File:2FA_001.png|border|800px]]
 +
 +
===Global Two-Factor Authentication Settings===
 +
 +
The '''Global Two-Factor Authentication Settings''' options allow you to forcibly enable Two-Factor Authentication for Accounts, Users, and Admins on their next login.
 +
 +
To use this feature, select your options and click '''Save Changes'''. If a user has not yet configured Two-Factor Authentication, the system will force them to the next time they sign in to WHMCS.
 +
 +
[[File:2FA_002.png|border|800px]]
  
====DuoSecurity====
+
==Using Two-Factor Authentication==
DuoSecurity will prompt you for a phone number and option to receive a text or phone call. After the text or phone call is received, input the authentication code to proceed.
+
 +
Client accounts, users, and admins can begin to use Two-Factor Authentication after you have activated one or more services and configured the installation.
  
A second optional page at initial login will prompt to download the DuoSecurity mobile application which performs push notifications allowing you to restrict or allow access under your user from your phone.
+
For more information, see [[Using Two-Factor Authentication]].
  
====Time Based One-Time Passwords====
+
==Lost/Unavailable Device==
Time Based One-Time passwords requires downloading an OATH application onto your smartphone or tablet, and optionally a bar-code reader.
 
  
Once activated a pop-up screen will present a QR code, with optional manual code to enter into your smartphone or tablet. Once scanned or entered, a time based one time password will appear within your OATH application providing the second form of verification used to log in.
+
[[Two-Factor Authentication]] requires a secondary device in order to log in. Because of this, some users will inevitably need help when their device is lost or otherwise unavailable.
  
Additionally, a backup code is presented which should be stored in the event that your smartphone or tablet is not accessible and you wish to gain access into WHMCS.
+
For more information, see [[Logging In Without Your Two-Factor Authentication Device]].
  
====YubiKey====
+
==Troubleshooting==
YubiKey creates a one time password stored within a USB drive that acts as a keyboard to your computer. These are physical devices that need to be purchased from Yubico directly. A purchase link is available inside WHMCS.
+
 +
====The code you entered did not match what was expected. Please try again.====
 +
 +
Seeing this error when using the Time-Based Token method means that the six characters your device generated do not match the six numbers WHMCS expected. Usually, this indicates that the time on your device (for example, your phone or tablet) and on the WHMCS server are different.
 +
 +
You can see the time in the top-right corner of your WHMCS Admin Area. It's taken directly from your server's PHP configuration. You must ensure the server time is correct and the time on your device matches the server time. For example, if the server time is 00:01 and the time on your device is 00:00, you will see this error. In that scenario, you must change the time on your device to 00:01 so that they both match.
 +
 +
Syncing the server with [http://en.wikipedia.org/wiki/Network_Time_Protocol NTP] to ensure the time is exactly right may also help to resolve this. Most servers will revert to the internal hardware clock on boot or reboot, so you will need to sync any changes from NTP to the hardware clock.
 +
 +
This provides support for time zone differences, so they are unlikely to cause problems.
 +
 +
====The second factor you supplied was incorrect. Please try again.====
  
 
+
Seeing this error when activating the DuoSecurity method for the first time indicates that the entered code does not match what DuoSecurity expects. This indicates that the time on your server does not match DuoSecurity's clocks.
For more information on different types of two-factor authentication WHMCS supports, please refer to http://www.whmcs.com/two-factor/
+
 
+
You can see the time in the top-right corner of your WHMCS admin area. It's taken directly from your server's PHP configuration. You must make sure to sync the server time exactly with UTC. For example, if the server time is 00:01 and the time at DuoSecurity is 00:00, you will see this error.
==Configuration==
+
[[File:2factor1.png|thumb|Yubico Configuration]]
+
Syncing the server with [http://en.wikipedia.org/wiki/Network_Time_Protocol NTP] to ensure the time is exactly right will resolve this. Most servers will revert to the internal hardware clock when they boot or reboot, so you will need to sync any changes from NTP to the hardware clock.
Begin by navigating to '''Setup > Staff Management > Two-Factor Authentication''' and click the "Activate" button next to the type of two-factor authentication you wish to use.
+
 
+
This provides support for time zone differences, so they are unlikely to cause problems.
The Duo Security and TOTP options both require a subscription before they can be configured, so instead of an Activate button, you will see a '''Subscribe To Activate''' button. You can click this to be taken to the relevant signup page, once the purchase has been completed you can return to the Two-Factor Authentication page to continue the configuration process.
 
 
 
'''Note:''' Duo Security and TOTP services are currently manually activated, so please await confirmation of activation via email
 
before proceeding further.
 
 
 
 
 
Once activated you will be presented with a number of options, please fill these in with the account details from your welcome email. Some options are common to all auth methods:
 
 
 
===Enable for Clients===
 
[[File:2factor2.png|thumb|Enable for Clients]]
 
Ticking this option will allow clients to individually enable Two-Factor Authentication of their own accord via the client area. Once activated they will need to complete two-factor authentication each time they login.
 
 
 
Clients activate it via the My Details page of the client area, in the default template this is located under the "Security Settings" tab. They simply click the '''Click here to enable''' button beneath the "Two-Factor Authentication" heading and follow the on-screen instructions.
 
 
 
Should a client decide to disable two-factor authentication at a later date, they can simply click the '''Click here to disable''' button which will appear in the same location.
 
 
 
===Enable for Staff===
 
[[File:2factor3.png|thumb|Enable for Staff]]
 
Ticking this option will allow staff to individually enable Two-Factor Authentication of their own accord via the admin area. Once activated they will need to complete two-factor authentication each time they login.
 
 
 
Staff activate it via the My Account page of the admin area (link in the top-left corner of every page). They simply click the '''Click here to enable button''' and follow the on-screen instructions.
 
 
 
Should a member of staff decide to disable two-factor authentication at a later date, they can simply click the '''Click here to disable''' button which will appear in the same location.
 
 
 
==Force Settings==
 
On the left hand side of the Two-Factor Authentication page are two Force Settings. Ticking these options will require clients and/or staff to configure two-factor authentication upon next login, they will be presented with a prompt showing them the two-factor authentication instructions and will not be able to proceed until registration is complete.
 

Latest revision as of 17:04, 7 February 2024

Two-Factor Authentication adds a layer of security by adding a second step to the login process. It takes something you know (for example, your password) and adds a second factor, typically from something you have (such as your phone). Requiring both to log in decreases the threat of a leaked password.

You can access this feature at Configuration () > System Settings > Two-Factor Authentication or, prior to WHMCS 8.0, Setup > Staff Management > Two-Factor Authentication.

WHMCS includes three Two-Factor Authentication services.

Time-Based Tokens

With Time-Based Tokens, you enter a 6-digit code that regenerates every 30 seconds in addition to your regular username and password. Only your token device (typically a mobile smartphone app) will have your secret key and be able to generate valid one-time passwords for your account.

We recommend enabling Time-Based Tokens, and WHMCS enables this by default.

DuoSecurity

With DuoSecurity, the system will prompt you for a phone number. It will then prompt you to verify your identity using a push notification on your mobile device.

  • Duo has announced that support for the previous iframe-based Duo Prompt will end on March 30, 2024. Duo Security will not function in WHMCS 8.8 and earlier after this date.
  • After you upgrade to WHMCS 8.9 or later, we recommend activating Duo Universal Prompt in your Duo customer portal to ensure continued functionality.

For more information, see Duo Security.

YubiKey

YubiKey creates a one-time password in a USB drive that acts as a keyboard to your computer. These are physical devices that you must purchase from Yubico directly.

Enabling Two-Factor Authentication

Time Based Tokens Configuration

To enable Two-Factor Authentication, follow the steps below:

  1. Click Activate under the service that you would like to enable.
  2. Select one or both of Enable for use by Clients and Enable for use by Administrative Users.
  3. If applicable, configure any additional Configuration Settings.
  4. Click Save.

You can repeat these steps for each service that you want to enable.

2FA 001.png

Global Two-Factor Authentication Settings

The Global Two-Factor Authentication Settings options allow you to forcibly enable Two-Factor Authentication for Accounts, Users, and Admins on their next login.

To use this feature, select your options and click Save Changes. If a user has not yet configured Two-Factor Authentication, the system will force them to the next time they sign in to WHMCS.

2FA 002.png

Using Two-Factor Authentication

Client accounts, users, and admins can begin to use Two-Factor Authentication after you have activated one or more services and configured the installation.

For more information, see Using Two-Factor Authentication.

Lost/Unavailable Device

Two-Factor Authentication requires a secondary device in order to log in. Because of this, some users will inevitably need help when their device is lost or otherwise unavailable.

For more information, see Logging In Without Your Two-Factor Authentication Device.

Troubleshooting

The code you entered did not match what was expected. Please try again.

Seeing this error when using the Time-Based Token method means that the six characters your device generated do not match the six numbers WHMCS expected. Usually, this indicates that the time on your device (for example, your phone or tablet) and on the WHMCS server are different.

You can see the time in the top-right corner of your WHMCS Admin Area. It's taken directly from your server's PHP configuration. You must ensure the server time is correct and the time on your device matches the server time. For example, if the server time is 00:01 and the time on your device is 00:00, you will see this error. In that scenario, you must change the time on your device to 00:01 so that they both match.

Syncing the server with NTP to ensure the time is exactly right may also help to resolve this. Most servers will revert to the internal hardware clock on boot or reboot, so you will need to sync any changes from NTP to the hardware clock.

This provides support for time zone differences, so they are unlikely to cause problems.

The second factor you supplied was incorrect. Please try again.

Seeing this error when activating the DuoSecurity method for the first time indicates that the entered code does not match what DuoSecurity expects. This indicates that the time on your server does not match DuoSecurity's clocks.

You can see the time in the top-right corner of your WHMCS admin area. It's taken directly from your server's PHP configuration. You must make sure to sync the server time exactly with UTC. For example, if the server time is 00:01 and the time at DuoSecurity is 00:00, you will see this error.

Syncing the server with NTP to ensure the time is exactly right will resolve this. Most servers will revert to the internal hardware clock when they boot or reboot, so you will need to sync any changes from NTP to the hardware clock.

This provides support for time zone differences, so they are unlikely to cause problems.