Two-factor
authentication is a must
We really need
two-factor authentication at least for WHM login. A lot of sites are already
implementing this to protect from unauthorized login.
The most doable
two-factor authentication would be similar to the Google Authenticator which is
just a simple
security token app
for Android, iPhone, Blackberry.
How it should work
would ideally be like this: the user logs
in to WHM using
username and password (first factor), then he will be asked
to enter a code
generated by his mobile app (second factor). If it all matches with values from
the server, then the login will be
permitted.
I think it's safe to
say it really doesn't have to be "enabled" by
default but an
optional service at least for WHM login (for root and
reseller accounts)
and if the dev team's time permits, individual Cpanel
accounts too.
This will totally
eliminate brute force attacks and will even make password theft useless.
If this is too much,
then the absolute easiest way to this is to require email verification for
every login. Email verification is not really two-factor but good enough than
nothing.
No comments:
Post a Comment