Three.Four is here and it includes a lot of great new features.

We have been working hard on 3.4 and it’s now available. If you haven’t purchased yet, now is a great time to buy. New features, and a promo until the end of the year; All owned license purchases get a free addon company (We’ll add it for you within 24 hours of license purchase). This offer expires on Dec 31, 2014, just a few short days away, so be sure to take advantage of it right now.

Download 3.4

See the documentation for details on how to install or upgrade.

What’s new in 3.4?

• Knowledge Base
• Contact Logins w/Permissions
• Two-Factor Auth for Clients & Contacts

And more, see the changelog!

If you are upgrading and plan to use the Knowledge Base, you’ll need to add the proper markup to the portal under Settings > Company > Plugins by clicking the “Manage” button for the Portal plugin. Look for the code that displays the ticket system, and replace it with the following:

 {% if plugins.support_manager.enabled %}<div class="col-md-4 col-sm-6 portal-box">
        <a href="{client_url}plugin/support_manager/client_tickets/add/">
            <div class="well">
                <i class="fa fa-ticket fa-4x"></i>
                <h4>Support</h4>
                <p>Looking for help? You can open a trouble ticket here.</p>
            </div>
        </a>
    </div>
	<div class="col-md-4 col-sm-6 portal-box">
        <a href="{client_url}plugin/support_manager/knowledgebase/">
            <div class="well">
                <i class="fa fa-info fa-4x"></i>
                <h4>Knowledge Base</h4>
                <p>Have a question? Search the knowledge base for an answer.</p>
            </div>
        </a>
    </div>{% endif %}

If upgrading, we suggest enabling a new security feature for Staff Groups that log out Staff if their IP address changes, preventing a possible attacker from using a stolen cookie. This is the default option for new installations, but must be enabled for existing Staff groups if upgrading. To enable, visit Settings > System > Staff > Staff Groups, edit the staff groups and check the “Log Out On IP Address Change” box, then log out and log back in. Thanks to Rack911 for the suggestion.

What’s next?

We have the following features planned for 3.5:

• Upgrades/Downgrades for Configurable Options
• SolusVM Improvements
• And..? Stay tuned.

We do our best to prioritize development based on demand. Is there a feature you really want to see in a future release? Let us know on our feature requests forum!

After 3.5 will most likely come 4.0. 4.0 will raise the minimum PHP requirement to PHP 5.3. It’s not good to run PHP versions that are EOL, so be sure to upgrade if you haven’t already. We recommend PHP 5.5.

The entire Blesta team wishes you a very prosperous 2015!

Financial advisory firm, Deloitte, recently published an article detailing the ever expanding need for two-factor authentication. They predict that, “a number of technology and telecommunication companies will likely implement some form of multifactor authentication with their services, software and/or devices in 2013.” I see this less as a prediction and more of an advanced report of the facts, since we had the same notion back in 2010 when we announced two-factor authentication for Blesta.

Deloitte’s predictions go even further, stating that passwords that were previously considered secure (8-characters of mixed case, numbers, letters, and symbols) are now vulnerable to hackers, primarily due to password reuse and the use of graphics cards (GPUs) to perform dictionary attacks. Personally, I’ve never found those types of passwords to be very secure. After all, we know that password security is derived from entropy (randomness) and entropy increases with length. So rather than trying to remember 8 to 10 character passwords with letters, numbers, and symbols that have no meaning, why not simply use a long natural password? Bonus points if your language of choice is not typical of the application’s audience. Extra bonus points if it’s a dead/non-existent language. Anata no o pasuwado wa nan desu ka?

Comic by xkcd / CC BY 2.5

Of course, what’s more secure than a secure password? How about a password that changes every time you use it? “How could I possibly keep track of that,” you might ask? That’s where two-factor authentication takes over.

Time-Based One-Time Passwords (TOTP) are generated using an algorithm that produces a pseudo-random value based on any given moment in time (remember, randomness = good). The benefit of using two-factor authentication is that you need not put all your trust into the security of your password. Random token generators (or apps for your smart phone) can produce a one-time password that’s used in combination with your standard password, and as the name suggests are used only once. That means that even an attacker that knows your password and knows the token you just used to login to your account still can’t use the information to login as you.

We’ve shown you a fair amount of the staff interface, but I want to show you the staff login page today. Overall this video touches on three things..

1. Staff Login Page: This is a first, no one outside our team has seen this login page before now.
2. Two-Factor Authentication: This was originally developed for v3, then back-ported to 2.5.
3. Resource Preservation: Session expire? Blesta remembers where you were headed.

The staff login page has previously never been shown, although I designed it before much of the interface. Two-Factor Authentication was originally developed early on for v3, and then back-ported to 2.5. As far as we know, no one else supports two-factor authentication, making Blesta uniquely secure. We don’t blame them though, it took plenty of R&D and most solutions are proprietary. Resource preservation is just a fancy term we coined to say that Blesta remembers where you were going, and takes you back there if your session expires and you get logged out and login again.

The video is below, as usual you can make the video full screen, and be sure to turn on your sound.

Note: Cody tells me, and I realized after that OATH is pronounced “oath”, not “oh-auth”, which is something completely different.