Difference between revisions of "Two-Factor Authentication"

From WHMCS Documentation

(Added Lost/Unavailable Device section)
Line 1: Line 1:
 
==Introduction==
 
==Introduction==
Two-Factor Authentication adds a layer of security by adding a second step to the login process. It takes something you know (for example, your password) and adds a second factor, typically something you have (such as your phone). Since you require both to log in, this decreases the threat of a leaked password.
+
 
+
Two-Factor Authentication adds a layer of security by adding a second step to the login process. It takes something you know (for example, your password) and adds a second factor, typically from something you have (such as your phone). Requiring both to log in decreases the threat of a leaked password.
 +
 
 
WHMCS includes three Two-Factor Authentication services.
 
WHMCS includes three Two-Factor Authentication services.
 
   
 
   
===Time Based Tokens===
+
===Time-Based Tokens===
 
   
 
   
One of the most common and simplest forms of Two-Factor Authentication is Time Based Tokens. With Time Based Tokens, you enter a 6-digit code that regenerates every 30 seconds in addition to your regular username and password. Only your token device (typically a mobile smartphone app) will have your secret key and be able to generate valid one-time passwords for your account. We recommend enabling Time Based Tokens, and WHMCS enables this by default.
+
With Time-Based Tokens, you enter a 6-digit code that regenerates every 30 seconds in addition to your regular username and password. Only your token device (typically a mobile smartphone app) will have your secret key and be able to generate valid one-time passwords for your account.  
 +
 
 +
We recommend enabling Time-Based Tokens, and WHMCS enables this by default.
 
   
 
   
 
===DuoSecurity===
 
===DuoSecurity===
Line 30: Line 33:
 
# Click '''Save'''.
 
# Click '''Save'''.
 
   
 
   
You can repeat these steps for each service that you would like to enable.
+
You can repeat these steps for each service that you want to enable.
 
   
 
   
 
[[File:2FA_001.png|border|800px]]
 
[[File:2FA_001.png|border|800px]]
Line 44: Line 47:
 
==Using Two-Factor Authentication==
 
==Using Two-Factor Authentication==
 
   
 
   
Accounts, Users, and Admins can begin to use Two-Factor Authentication after you have activated one or more services and configured the installation.
+
Client accounts, users, and admins can begin to use Two-Factor Authentication after you have activated one or more services and configured the installation.
 
   
 
   
 
===Within the Client Area===
 
===Within the Client Area===
Line 50: Line 53:
 
[[File:2fa-disabled.png|border|800px]]
 
[[File:2fa-disabled.png|border|800px]]
 
   
 
   
To set up Two-Factor Authentication using '''Time Based Tokens''':
+
To set up Two-Factor Authentication using Time-Based Tokens:
 
   
 
   
 
# From the Client Area, navigate to '''Hello, Name! > Security Settings'''.
 
# From the Client Area, navigate to '''Hello, Name! > Security Settings'''.
Line 66: Line 69:
 
<div class="docs-alert-info">
 
<div class="docs-alert-info">
 
<span class="title">Disable Two-Factor Authentication for Users</span><br />
 
<span class="title">Disable Two-Factor Authentication for Users</span><br />
In WHMCS 8.0 and later, Admins can disable (but not enable) Two-Factor Authentication for users at '''Clients > [[Manage_Users]]'''.
+
In WHMCS 8.0 and later, admins can disable (but not enable) Two-Factor Authentication for individual users at '''Clients > [[Manage_Users]]'''.
 
</div>
 
</div>
  
Line 73: Line 76:
 
[[File:2FA_005.png|thumb|Configuring Time Based Tokens in Admin Area]]
 
[[File:2FA_005.png|thumb|Configuring Time Based Tokens in Admin Area]]
 
   
 
   
Admins can perform the following actions to set up Two-Factor Authentication on their accounts using the '''Time Based Tokens''' service:
+
Admins can perform the following actions to set up Two-Factor Authentication on their accounts using the '''Time-Based Tokens''' service:
 
   
 
   
 
# From the Admin Area, navigate to '''Account > My Account''' or, prior to WHMCS 8.0, '''My Account'''.
 
# From the Admin Area, navigate to '''Account > My Account''' or, prior to WHMCS 8.0, '''My Account'''.
Line 88: Line 91:
  
 
==Lost/Unavailable Device==
 
==Lost/Unavailable Device==
 +
 
===Clients===
 
===Clients===
If a client needs to gain access to their account without their device, they can use the backup code provided when Two-Factor Authentication was configured. The option to '''Login using Backup Code''' is displayed at the bottom of the two-factor authentication page, after logging in with the email address and password. If the backup code is not available, Two-Factor Authentication would need to be disabled for their account within the Admin Area. This can be disabled via '''Clients > Manage Users > Manage User''' or, prior to WHMCS 8.0, '''Clients > View/Edit Clients > click on the required client > Profile tab'''.
+
 
 +
If a client needs to gain access to their account without their device, they can use the backup code that was provided when Two-Factor Authentication was configured. The option to '''Log in using Backup Code''' is displayed at the bottom of the two-factor authentication page after logging in with the email address and password.  
 +
 
 +
If the backup code is not available, Two-Factor Authentication would need to be disabled for their account within the Admin Area. This can be disabled in the client's '''Profile''' tab at '''Clients > Manage Users''' or, prior to WHMCS 8.0, '''Clients > View/Edit Clients'''.
 +
 
 
===Admins===
 
===Admins===
If an administrator needs to gain access to the Admin Area without their device, they can use the backup code provided when Two-Factor Authentication was configured. The option to '''Login using Backup Code''' is displayed at the bottom of the two-factor authentication page, after logging in with the username and password. If the backup code is not available, Two-Factor Authentication would need to be disabled directly within the database by running the following SQL command against your WHMCS database:
+
 
 +
If an administrator needs to gain access to the Admin Area without their device, they can use the backup code provided when Two-Factor Authentication was configured. The option to '''Log in using Backup Code''' is displayed at the bottom of the two-factor authentication page after logging in with the username and password.  
 +
 
 +
If the backup code is not available, Two-Factor Authentication would need to be disabled directly within the database by running the following SQL command against your WHMCS database:
 +
 
 
<div class="source-cli">
 
<div class="source-cli">
 
UPDATE tbladmins SET authmodule = &#39;&#39;, authdata = &#39;&#39; WHERE username = 'ADMIN_USERNAME';
 
UPDATE tbladmins SET authmodule = &#39;&#39;, authdata = &#39;&#39; WHERE username = 'ADMIN_USERNAME';
 
</div>
 
</div>
Please replace ''ADMIN_USERNAME'' with the admin username for which you wish to disable two-factor authentication.  
+
 
 +
Replace <tt>ADMIN_USERNAME</tt> with the admin username for which you wish to disable two-factor authentication.  
  
 
==Troubleshooting==
 
==Troubleshooting==
Line 101: Line 114:
 
====The code you entered did not match what was expected. Please try again.====
 
====The code you entered did not match what was expected. Please try again.====
 
   
 
   
Seeing this error when using the time based tokens method means that the 6 characters your device generated do not match the 6 numbers WHMCS expected. Usually, this indicates that the time on your device (for example, your phone or tablet) and on the WHMCS server are different.
+
Seeing this error when using the Time-Based Token method means that the six characters your device generated do not match the six numbers WHMCS expected. Usually, this indicates that the time on your device (for example, your phone or tablet) and on the WHMCS server are different.
 
   
 
   
You can see the time in the top-right corner of your WHMCS Admin Area. It's taken directly from your server's PHP configuration. You must ensure the server time is correct, and the time on your device matches the server time. For example, if the server time is 00:01 and the time on your device is 00:00, you will see this error. In that scenario, you must change the time on your device to 00:01 so that they both match.
+
You can see the time in the top-right corner of your WHMCS Admin Area. It's taken directly from your server's PHP configuration. You must ensure the server time is correct and the time on your device matches the server time. For example, if the server time is 00:01 and the time on your device is 00:00, you will see this error. In that scenario, you must change the time on your device to 00:01 so that they both match.
 
   
 
   
 
Syncing the server with [http://en.wikipedia.org/wiki/Network_Time_Protocol NTP] to ensure the time is exactly right may also help to resolve this. Most servers will revert to the internal hardware clock on boot or reboot, so you will need to sync any changes from NTP to the hardware clock.
 
Syncing the server with [http://en.wikipedia.org/wiki/Network_Time_Protocol NTP] to ensure the time is exactly right may also help to resolve this. Most servers will revert to the internal hardware clock on boot or reboot, so you will need to sync any changes from NTP to the hardware clock.
Line 110: Line 123:
 
   
 
   
 
====The second factor you supplied was incorrect. Please try again.====
 
====The second factor you supplied was incorrect. Please try again.====
Seeing this error when activating the DuoSecurity method for the first time means that the entered code does not match what DuoSecurity expects. This indicates that the time on your server does not match DuoSecurity's clocks.
+
 
 +
Seeing this error when activating the DuoSecurity method for the first time indicates that the entered code does not match what DuoSecurity expects. This indicates that the time on your server does not match DuoSecurity's clocks.
 
   
 
   
 
You can see the time in the top-right corner of your WHMCS admin area. It's taken directly from your server's PHP configuration. You must make sure to sync the server time exactly with UTC. For example, if the server time is 00:01 and the time at DuoSecurity is 00:00, you will see this error.
 
You can see the time in the top-right corner of your WHMCS admin area. It's taken directly from your server's PHP configuration. You must make sure to sync the server time exactly with UTC. For example, if the server time is 00:01 and the time at DuoSecurity is 00:00, you will see this error.

Revision as of 19:19, 15 September 2021

Introduction

Two-Factor Authentication adds a layer of security by adding a second step to the login process. It takes something you know (for example, your password) and adds a second factor, typically from something you have (such as your phone). Requiring both to log in decreases the threat of a leaked password.

WHMCS includes three Two-Factor Authentication services.

Time-Based Tokens

With Time-Based Tokens, you enter a 6-digit code that regenerates every 30 seconds in addition to your regular username and password. Only your token device (typically a mobile smartphone app) will have your secret key and be able to generate valid one-time passwords for your account.

We recommend enabling Time-Based Tokens, and WHMCS enables this by default.

DuoSecurity

With DuoSecurity, the system will prompt you for a phone number. It will then present an option to receive a text or phone call or, on some devices, a push notification or touch ID verification. After you receive the text or phone call, input the authentication code to proceed. A second optional page at initial login will prompt to download the DuoSecurity mobile application. This application performs push notifications, allowing you to restrict or allow access under your user from your phone.

For more information, see Duo Security.

YubiKey

YubiKey creates a one-time password in a USB drive that acts as a keyboard to your computer. These are physical devices that you must purchase from Yubico directly.

Enabling Two-Factor Authentication

Time Based Tokens Configuration

To enable Two-Factor Authentication, follow the steps below:

  1. From the Admin Area, go to Configuration () > Admin Users > Two Factor Authentication or, prior to WHMCS 8.0, Setup > Staff Management > Two-Factor Authentication.
  2. Click Activate under the service that you would like to enable.
  3. Select one or both of Enable for use by Clients and Enable for use by Administrative Users.
  4. If applicable, configure any additional Configuration Settings.
  5. Click Save.

You can repeat these steps for each service that you want to enable.

2FA 001.png

Global Two-Factor Authentication Settings

The Global Two-Factor Authentication Settings options allow you to forcibly enable Two-Factor Authentication for Accounts, Users, and Admins on their next login.

To use this feature, select your options and click Save Changes. If a user has not yet configured Two-Factor Authentication, the system will force them to the next time they sign in to WHMCS.

2FA 002.png

Using Two-Factor Authentication

Client accounts, users, and admins can begin to use Two-Factor Authentication after you have activated one or more services and configured the installation.

Within the Client Area

2fa-disabled.png

To set up Two-Factor Authentication using Time-Based Tokens:

  1. From the Client Area, navigate to Hello, Name! > Security Settings.
  2. Click Click here to Enable.
  3. Select Time Based Tokens.
  4. Click Get Started.
  5. Scan the QR code with an authenticator app like Google Authenticator or Duo Mobile.
  6. Enter the 6-digit code that the authenticator app generates.
  7. Click Submit.
  8. Record the Backup Code in a safe place.
  9. Click Close.
Configuring Time Based Tokens in Client Area

Disable Two-Factor Authentication for Users
In WHMCS 8.0 and later, admins can disable (but not enable) Two-Factor Authentication for individual users at Clients > Manage_Users.

Within the Admin Area

Configuring Time Based Tokens in Admin Area

Admins can perform the following actions to set up Two-Factor Authentication on their accounts using the Time-Based Tokens service:

  1. From the Admin Area, navigate to Account > My Account or, prior to WHMCS 8.0, My Account.
  2. Toggle Two-Factor Authentication to On.
  3. Select Time Based Tokens.
  4. Click Get Started.
  5. Scan the QR code with an authenticator app like Google Authenticator or Duo Mobile.
  6. Enter in the 6-digit code that the authenticator app generates.
  7. Click Submit.
  8. Record the Backup Code in a safe place.
  9. Click Close.

2FA 004.png

Lost/Unavailable Device

Clients

If a client needs to gain access to their account without their device, they can use the backup code that was provided when Two-Factor Authentication was configured. The option to Log in using Backup Code is displayed at the bottom of the two-factor authentication page after logging in with the email address and password.

If the backup code is not available, Two-Factor Authentication would need to be disabled for their account within the Admin Area. This can be disabled in the client's Profile tab at Clients > Manage Users or, prior to WHMCS 8.0, Clients > View/Edit Clients.

Admins

If an administrator needs to gain access to the Admin Area without their device, they can use the backup code provided when Two-Factor Authentication was configured. The option to Log in using Backup Code is displayed at the bottom of the two-factor authentication page after logging in with the username and password.

If the backup code is not available, Two-Factor Authentication would need to be disabled directly within the database by running the following SQL command against your WHMCS database:

UPDATE tbladmins SET authmodule = '', authdata = '' WHERE username = 'ADMIN_USERNAME';

Replace ADMIN_USERNAME with the admin username for which you wish to disable two-factor authentication.

Troubleshooting

The code you entered did not match what was expected. Please try again.

Seeing this error when using the Time-Based Token method means that the six characters your device generated do not match the six numbers WHMCS expected. Usually, this indicates that the time on your device (for example, your phone or tablet) and on the WHMCS server are different.

You can see the time in the top-right corner of your WHMCS Admin Area. It's taken directly from your server's PHP configuration. You must ensure the server time is correct and the time on your device matches the server time. For example, if the server time is 00:01 and the time on your device is 00:00, you will see this error. In that scenario, you must change the time on your device to 00:01 so that they both match.

Syncing the server with NTP to ensure the time is exactly right may also help to resolve this. Most servers will revert to the internal hardware clock on boot or reboot, so you will need to sync any changes from NTP to the hardware clock.

This provides support for time zone differences, so they are unlikely to cause problems.

The second factor you supplied was incorrect. Please try again.

Seeing this error when activating the DuoSecurity method for the first time indicates that the entered code does not match what DuoSecurity expects. This indicates that the time on your server does not match DuoSecurity's clocks.

You can see the time in the top-right corner of your WHMCS admin area. It's taken directly from your server's PHP configuration. You must make sure to sync the server time exactly with UTC. For example, if the server time is 00:01 and the time at DuoSecurity is 00:00, you will see this error.

Syncing the server with NTP to ensure the time is exactly right will resolve this. Most servers will revert to the internal hardware clock when they boot or reboot, so you will need to sync any changes from NTP to the hardware clock.

This provides support for time zone differences, so they are unlikely to cause problems.