Two-Factor Authentication

What is Two-Factor Authentication?

Two-factor authentication adds an additional layer of security by introducing a second step to your login. It takes something you know (i.e.: your password), and adds a second factor, typically something you physically have (such as your phone). Since both are required to log in, in the event an attacker obtains your password two-factor authentication would stop them for accessing your account.

Why do you need it?

Passwords are increasingly easy to compromise. They can often be guessed or leaked, they usually don’t change very often, and despite advice otherwise, many of us have favorite passwords that we use for more than one thing. So Two-factor authentication gives you additional security because your password alone no longer allows access to your account. How does it work?

There are many different options available, and in WHMCS we support more than one so you have the choice. But one of the most common and simplest to use is time based one-time passwords. With these, in addition to your regular username & password, you also have to enter a 6 digit code that changes every 30 seconds. Only your token device (typically a mobile smartphone) will know your secret key, and be able to generate valid one time passwords for your account. And so your account is far safer.

Duo-Security

Duo Security enables your users to secure their logins and transactions using their smartphones. The Duo Mobile smartphone application is free and available on all major smartphone platforms, and lets users easily generate passcodes without the cost and hassle of hardware tokens. iPhone, Android, BlackBerry, and Windows Phone users can use Duo Push which “pushes” login or transaction details to the phone, allowing for immediate, one-tap approval.

Older devices like cellphones and landlines are also fully supported. Duo can send passcodes via text message, or place a phone call - users just press a button on their keypad to authenticate.

Secure & Reliable

Duo Security takes security, reliability, and privacy very seriously. The service operates completely independently from primary authentication, which mean that Duo never sees users’ passwords or any personally identifying information. Duo is hosted by PCI DSS Level 1- and ISO 27001â€‘certified, SAS70 Type IIâ€‘audited service providers, across multiple geographic regions and independent power grids.

Time Based Tokens

WHMCS’ Time Based Tokens work with any OATH software such as Google Authentication for Android, or Apple’s OATH Token App for example. Once activated, users will be required to provide a second form of Authentication that only they have access to. This Authentication comes in the form of a 6 digit passcode that expires every 30 seconds.

How does it work?

Upon initial signing once Token Based Two Factor Authentication is actived, users will be presented with a QR code to scan using their smartphone or tablet device. Once this is scanned, their device will then store authorization to generate a pass code and authentication to your WHMCS installation. Every 30 seconds, a new 6 digit code will be generated through their OATH application of choice which will be used as their second form of Authentication during login to your WHMCS.

Yubikey Authentication

A YubiKey is a One-Time Password (OTP) generator device. It generates a unique sequence of characters as an OTP every time its button is pressed. As the term suggests, a One-Time Password is valid only for a single use and cannot be used again for authentication. YubiKeys are typically used in implementing strong two-factor authentication solutions which provide much stronger security when compared to using only a username and password. The YubiKey supports multiple types of configurations and may be used to generate One-Time Passwords as well as static passwords