Michael Posted January 8, 2015 Report Posted January 8, 2015 I was wondering if Blesta could have a backup code like Stripe and a few others, so if you loose your phone you can disable it. More like this: https://stripe.com/blog/two-step-verification unique. PauloV and Blesta Addons 2 Quote
Tyson Posted January 8, 2015 Report Posted January 8, 2015 That's interesting. It's not something I would personally use because I frown upon backdoors, but some may find it useful. Michael 1 Quote
Paul Posted January 8, 2015 Report Posted January 8, 2015 Any such code would likely work similar to a passphrase that is not stored within Blesta anywhere, but can be confirmed by Blesta when entered. Personally, I don't like the idea. It weakens 2FA. But, it's good if you have a lot of customers opening tickets because they lost their 2FA tokens. Michael 1 Quote
Michael Posted January 8, 2015 Author Report Posted January 8, 2015 Any such code would likely work similar to a passphrase that is not stored within Blesta anywhere, but can be confirmed by Blesta when entered. Personally, I don't like the idea. It weakens 2FA. But, it's good if you have a lot of customers opening tickets because they lost their 2FA tokens. I'd be one of them haha I've had my phone broken and had no choice but to send it to the repair center and they flush the phone back to factory settings. Therefore I was locked out, because when you have 2FA, you can't disable it unless you can get someone to disable it for you. I had to contact Stripe and BitPay to get in them accounts But thankfully with Blesta I can enter the database and disable it. But I suppose Clients / staff could just contact you to disable it but yeah makes it more independent Quote
Tyson Posted January 8, 2015 Report Posted January 8, 2015 Alternatively, you could make note of the seed information and save that in a safe location. Quote
Michael Posted January 8, 2015 Author Report Posted January 8, 2015 Alternatively, you could make note of the seed information and save that in a safe location. Seed information? I don't have that in the app, is that the hash Blesta used to give us? Isn't that the same as a emergency key to verify it? As you only get it once on Stripe if you loose it tough luck unless you contact them to prove it's you. I've only had to use it once and store my new one in Blesta Quote
Tyson Posted January 9, 2015 Report Posted January 9, 2015 Yeah, by seed, I mean the key used to setup the token. Quote
Michael Posted January 9, 2015 Author Report Posted January 9, 2015 Yeah, by seed, I mean the key used to setup the token. Could use that mate show it once after set-up and can use it to re-gain entry. or something. Quote
srn Posted March 16, 2016 Report Posted March 16, 2016 Backup codes or the like are incredibly common. Even google does it: https://support.google.com/accounts/answer/1187538?hl=en I would much rather have such a feature baked in rather than having to procedurally kludge it in, which is what we have now. Quote
Michael Posted March 16, 2016 Author Report Posted March 16, 2016 Backup codes or the like are incredibly common. Even google does it: https://support.google.com/accounts/answer/1187538?hl=en I would much rather have such a feature baked in rather than having to procedurally kludge it in, which is what we have now. Ah Google do that haha might have to set-up that and get some Quote
Paul Posted March 16, 2016 Report Posted March 16, 2016 It's a good idea, but next to zero demand. Since this thread was created, there have maybe been a couple instances where people have asked how to disable 2FA because of a lost token. Maybe that means not enough people are using 2FA, I don't know. Michael 1 Quote
srn Posted March 16, 2016 Report Posted March 16, 2016 I think that could be because it's obvious in the UI how to disable two-factor authentication. That says nothing about how the administrators decide to disable it for a customer. Right now you're requiring everyone to devise their own procedure, which in the common case is probably asking for easily available information, like physical address or phone number. This is less secure. The method we chose was to define 1. preferred contact method client field 2. optional reset passphrase client field and 3. a contact type, but by default we aren't able to enforce that being configured before two-factor authentication is enabled. Quote
niyo Posted March 18, 2016 Report Posted March 18, 2016 It's a good idea, but next to zero demand. Since this thread was created, there have maybe been a couple instances where people have asked how to disable 2FA because of a lost token. Maybe that means not enough people are using 2FA, I don't know. to be fair I've been thinking about this for a while and more so this past couple weeks due to a near scare with my phone. so its not that people aren't thinking about it or wanting it, i think the forum isn't always the best metric to determine demand. i guess in that sense it could be that people are simply living with it as 2fa itself works fine and perhaps tokens haven't been lost yet or as license cart said the ability to actually go into the database, but in actuality as the companies of blesta users scale up that will become less and less practical. Quote
Michael Posted March 18, 2016 Author Report Posted March 18, 2016 to be fair I've been thinking about this for a while and more so this past couple weeks due to a near scare with my phone. so its not that people aren't thinking about it or wanting it, i think the forum isn't always the best metric to determine demand. i guess in that sense it could be that people are simply living with it as 2fa itself works fine and perhaps tokens haven't been lost yet or as license cart said the ability to actually go into the database, but in actuality as the companies of blesta users scale up that will become less and less practical. I have to add though I don't believe any competitor does these? As when I used one competitor I had to pay for it and they didn't I only found out via BitPay and Stripe it's a neat idea to have because if your phone breaks you can still re-enter. Quote
Paul Posted March 18, 2016 Report Posted March 18, 2016 to be fair I've been thinking about this for a while and more so this past couple weeks due to a near scare with my phone. so its not that people aren't thinking about it or wanting it, i think the forum isn't always the best metric to determine demand. i guess in that sense it could be that people are simply living with it as 2fa itself works fine and perhaps tokens haven't been lost yet or as license cart said the ability to actually go into the database, but in actuality as the companies of blesta users scale up that will become less and less practical. I definitely think it's a good suggestion, and yeah the forum isn't always the best metric.. but I'm considering tickets and emails, and phone calls, and it really hasn't come up. Definitely a nice to have, but I think if we set aside everything else to implement that now, some people would be upset we didn't spend our time on more highly requested items. Michael 1 Quote
Blesta Addons Posted March 19, 2016 Report Posted March 19, 2016 nice to add it , but in Loooong term . PauloV 1 Quote
niyo Posted March 20, 2016 Report Posted March 20, 2016 I have to add though I don't believe any competitor does these? As when I used one competitor I had to pay for it and they didn't I only found out via BitPay and Stripe it's a neat idea to have because if your phone breaks you can still re-enter. whmcs does have back up codes. i just double checked and i still have mine hidden away in a secret vault. lol I definitely think it's a good suggestion, and yeah the forum isn't always the best metric.. but I'm considering tickets and emails, and phone calls, and it really hasn't come up. Definitely a nice to have, but I think if we set aside everything else to implement that now, some people would be upset we didn't spend our time on more highly requested items. oh no i didn't mean it to sound like something that should be focused on as a matter of urgency, i was more just pointing out that it's not one of those things you realise you need until you need it and hence the forums or alike may not be the best metric. however i think it may be best to point people in the direction of services like authy as opposed to google authenticator which offers zero redundancy when backup codes aren't implemented. and just this week lastpass also launched a similar service too. so those two are what i'll be recommending to my customers although the lastpass implementation will need a little time to mature. but as naja said it would be something useful in the long term edit: scratch that - lastpass authenticator doesn't sync as of yet Quote
Michael Posted March 20, 2016 Author Report Posted March 20, 2016 whmcs does have back up codes. i just double checked and i still have mine hidden away in a secret vault. lol It does...? When did you add the two factor I had mine when it came out until May 2013. Quote
niyo Posted March 20, 2016 Report Posted March 20, 2016 It does...? When did you add the two factor I had mine when it came out until May 2013. if i remember correctly i also had it when it came out but can't be certain. it's in their docs too... "Additionally, a backup code is presented which should be stored in the event that your smartphone or tablet is not accessible..." Michael 1 Quote
Deactivat3d Posted May 16, 2020 Report Posted May 16, 2020 Apologies for the necro. I would just like to join the list of people who are interested in this feature, as well as some of my customers who have expressed this concern. p.s the "key" generated on my install doesn't work when entering to Google Authenticator, only the QR code. But that might be for another thread. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.