Sorry, we don't support your browser.  Install a modern browser

Require 2FA/MFA when magic links are used from MainWP/host control panels/etc#92

When a “magic link” is used from another system such as MainWP, or a web host’s control panel (or the likes of GridPane), 2FA/MFA is ignored.

One school of thought is that someone should have good security on those systems ,and also already used 2FA/MFA. Some systems are better than others for that.

However, there can also be period of times that those systems have been left logged in, or if other vulnerabilities are created or exploited in the futre, that weaken the security there.

By allowing an option for 2FA/MFA to always be used, even if a passwordless/SSO logon occurs, it allows strong (and potentially no need to know) passwords to be used but also retains a OTP password requiring the “something that you have” factor of authentication and still providing a high level of security alongside very good ease of use.

(To see an example of how this works, WP 2FA from WP White Security still requires 2FA from a GridPane magic link, whereas Shield doesn’t. I can provide a video if it helps to visualise what I’m suggesting.)

9 months ago

For the moment, it’s probably unlikely this behaviour would change in the plugin, particularly for the likes of MainWP. With Shield installed on MainWP you can set to ensure idle sessions are logged-out. The main protection should be placed in the MWP server, not the client login. Adding 2FA during client login would add a lot of friction.

I’ll consider how to account for this going forward though… it’s complex and would likely need a per-implementation work around - not ideal.

9 months ago

Thanks for your feedback… I understand the points you raise, and it’s clearly not a straightforward change!

The analogy I’d use though is one of an office building with security on the front door - an employee comes through the reception lobby, and is required to use their building access ID pass to get through the turnstiles.

But then, there are also card access readers on doors on most floors by the elevators, and to get into the data centre/server room, as well as into some other restricted areas.

In other words, just because you’re through the front door, there are other security measures in place to protect the organisation just in case anyone manages to get through the first security gate.

As I say, I know this might not be an easy change, but I think it’s of really high value if it can be cracked! (And even if that takes some time from now!)

9 months ago