Hi,
Regarding 2FA on Blesta I have 2 suggestions that I leave bellow. What do you guy's think?
1- On both admin and client view, when browsing to the 2FA menu/page it always shows the 2FA QR code and also the alternative text code. From my point of view this can b considered as a security flaw, because if we browse to that page on a hacked computer, the hacker can take a screenshot of the page and get the 2FA access. My suggestion here would be hide by default the 2FA QR code + text code and to see it we would have to click on a button with a dropdown menu that says: Show/Hide 2FA. This way we can keep 2FA info safe even browsing to the page. This is specially important for clients that use Blesta on different computers.
2- To enable 2FA we need to also type the password. But to disable 2FA not password is needed. Any special reason for ths? I think it would be a lot more secure if password is also required to disable 2FA.
So what do you guy's think? Are this valid suggestions? Any other opinion on how Blesta handles 2FA?