Jump to content
Blesta.Store

[2Fa] Backup Code

Recommended Posts

Any such code would likely work similar to a passphrase that is not stored within Blesta anywhere, but can be confirmed by Blesta when entered.

 

Personally, I don't like the idea. It weakens 2FA. But, it's good if you have a lot of customers opening tickets because they lost their 2FA tokens.

Share this post


Link to post
Share on other sites

Any such code would likely work similar to a passphrase that is not stored within Blesta anywhere, but can be confirmed by Blesta when entered.

 

Personally, I don't like the idea. It weakens 2FA. But, it's good if you have a lot of customers opening tickets because they lost their 2FA tokens.

 

I'd be one of them ;) haha I've had my phone broken and had no choice but to send it to the repair center and they flush the phone back to factory settings. Therefore I was locked out, because when you have 2FA, you can't disable it unless you can get someone to disable it for you.

 

I had to contact Stripe and BitPay to get in them accounts :P But thankfully with Blesta I can enter the database and disable it. But I suppose Clients / staff could just contact you to disable it ;) but yeah makes it more independent :)

Share this post


Link to post
Share on other sites

Alternatively, you could make note of the seed information and save that in a safe location.

 

Seed information? I don't have that in the app, is that the hash Blesta used to give us? Isn't that the same as a emergency key to verify it? As you only get it once on Stripe if you loose it tough luck unless you contact them to prove it's you. I've only had to use it once and store my new one in Blesta :P

Share this post


Link to post
Share on other sites

Backup codes or the like are incredibly common. Even google does it: https://support.google.com/accounts/answer/1187538?hl=en I would much rather have such a feature baked in rather than having to procedurally kludge it in, which is what we have now.

 

Ah Google do that :o haha might have to set-up that and get some :P

Share this post


Link to post
Share on other sites

I think that could be because it's obvious in the UI how to disable two-factor authentication. That says nothing about how the administrators decide to disable it for a customer.

 

Right now you're requiring everyone to devise their own procedure, which in the common case is probably asking for easily available information, like physical address or phone number. This is less secure.

 

The method we chose was to define 1. preferred contact method client field 2. optional reset passphrase client field and 3. a contact type, but by default we aren't able to enforce that being configured before two-factor authentication is enabled.

Share this post


Link to post
Share on other sites

It's a good idea, but next to zero demand. Since this thread was created, there have maybe been a couple instances where people have asked how to disable 2FA because of a lost token. Maybe that means not enough people are using 2FA, I don't know.

 

to be fair I've been thinking about this for a while and more so this past couple weeks due to a near scare with my phone. so its not that people aren't thinking about it or wanting it, i think the forum isn't always the best metric to determine demand. i guess in that sense it could be that people are simply living with it as 2fa itself works fine and perhaps tokens haven't been lost yet or as license cart said the ability to actually go into the database, but in actuality as the companies of blesta users scale up that will become less and less practical.

Share this post


Link to post
Share on other sites

to be fair I've been thinking about this for a while and more so this past couple weeks due to a near scare with my phone. so its not that people aren't thinking about it or wanting it, i think the forum isn't always the best metric to determine demand. i guess in that sense it could be that people are simply living with it as 2fa itself works fine and perhaps tokens haven't been lost yet or as license cart said the ability to actually go into the database, but in actuality as the companies of blesta users scale up that will become less and less practical.

 

 

I have to add though I don't believe any competitor does these? As when I used one competitor I had to pay for it and they didn't I only found out via BitPay and Stripe it's a neat idea to have because if your phone breaks you can still re-enter.

Share this post


Link to post
Share on other sites

to be fair I've been thinking about this for a while and more so this past couple weeks due to a near scare with my phone. so its not that people aren't thinking about it or wanting it, i think the forum isn't always the best metric to determine demand. i guess in that sense it could be that people are simply living with it as 2fa itself works fine and perhaps tokens haven't been lost yet or as license cart said the ability to actually go into the database, but in actuality as the companies of blesta users scale up that will become less and less practical.

 

I definitely think it's a good suggestion, and yeah the forum isn't always the best metric.. but I'm considering tickets and emails, and phone calls, and it really hasn't come up.

 

Definitely a nice to have, but I think if we set aside everything else to implement that now, some people would be upset we didn't spend our time on more highly requested items.

Share this post


Link to post
Share on other sites

I have to add though I don't believe any competitor does these? As when I used one competitor I had to pay for it and they didn't I only found out via BitPay and Stripe it's a neat idea to have because if your phone breaks you can still re-enter.

 

whmcs does have back up codes. i just double checked and i still have mine hidden away in a secret vault. lol

 

 

I definitely think it's a good suggestion, and yeah the forum isn't always the best metric.. but I'm considering tickets and emails, and phone calls, and it really hasn't come up.

 

Definitely a nice to have, but I think if we set aside everything else to implement that now, some people would be upset we didn't spend our time on more highly requested items.

 

oh no i didn't mean it to sound like something that should be focused on as a matter of urgency, i was more just pointing out that it's not one of those things you realise you need until you need it and hence the forums or alike may not be the best metric. however i think it may be best to point people in the direction of services like authy as opposed to google authenticator which offers zero redundancy when backup codes aren't implemented. and just this week lastpass also launched a similar service too. so those two are what i'll be recommending to my customers although the lastpass implementation will need a little time to mature.

 

but as naja said it would be something useful in the long term

 

edit:

scratch that - lastpass authenticator doesn't sync as of yet

Share this post


Link to post
Share on other sites

It does...? When did you add the two factor I had mine when it came out until May 2013.

 

if i remember correctly i also had it when it came out but can't be certain. it's in their docs too...

 

"Additionally, a backup code is presented which should be stored in the event that your smartphone or tablet is not accessible..."

Share this post


Link to post
Share on other sites

Apologies for the necro.

I would just like to join the list of people who are interested in this feature, as well as some of my customers who have expressed this concern.

p.s the "key" generated on my install doesn't work when entering to Google Authenticator, only the QR code. But that might be for another thread.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...