2FA Improvements for better security

[espservices]

Hi,

Regarding 2FA on Blesta I have 2 suggestions that I leave bellow. What do you guy's think?

1- On both admin and client view, when browsing to the 2FA menu/page it always shows the 2FA QR code and also the alternative text code. From my point of view this can b considered as a security flaw, because if we browse to that page on a hacked computer, the hacker can take a screenshot of the page and get the 2FA access. My suggestion here would be hide by default the 2FA QR code + text code and to see it we would have to click on a button with a dropdown menu that says: Show/Hide 2FA. This way we can keep 2FA info safe even browsing to the page. This is specially important for clients that use Blesta on different computers.

2- To enable 2FA we need to also type the password. But to disable 2FA not password is needed. Any special reason for ths? I think it would be a lot more secure if password is also required to disable 2FA.

So what do you guy's think? Are this valid suggestions? Any other opinion on how Blesta handles 2FA?

[Michael]

I don't agree, if you have hacked computer then the hacker can have anything you type, see, visit. You can't have security if you're compromised. 

[espservices]

6 hours ago, BlestaStore said:

I don't agree, if you have hacked computer then the hacker can have anything you type, see, visit. You can't have security if you're compromised. 

No one with a computer connected to the internet can say with 100% certain that is not hacked/compromised. 

Myself as an admin I try to be as safe as possible. For example, I have a separate computer just to generate 2FA codes and some other specific security stuff. Normally I never generate 2FA codes on my day-by-day computer. But the main problem are the clients that don't have the same knowledge on security. On services like Gmail and many others, the 2FA QR and text code are only visible after click on a button. This is to ensure that if a computer is compromised in a way that the hacker can take screenhots he would not get the 2FA codes.

Let's take as an example a client that logins Blesta on a friend computer and he goes to his account details menu. If this computer is compromised by a hack the let's take screenshots, the hacker will gain access to the 2FA codes. So as per my suggestion, the there should it be a button with something like show/hide the 2FA codes. I don't know why is it hard to agree. From my point of view It's a simple design change that will keep 2FA security codes much safer by showing them only when user really need.