This is a request that came in a long while back and that I’ve had on the back of my mind for awhile now so it seems a good place to put it now. The original request:
A feature request if I may - it would be cool if Reclaim (ie. the login to the portal itself) optionally supported two-factor authentication for added security. My preference would be for TOTP as in RFC6238.
Probably important to consider both our client area as well as direct cPanel logins as two potential entrypoints that could benefit from such a feature.
Second this. If it’s an important bit of my personal infrastructure I want two factor authentication on it.
Not having a smartphone for a long while I resisted two-factor because it was usually SMS/Text based, and would lock em out of access. For example, I resisted Clef as a default two-factor authentication plugin for WordPress on Reclaim’s installs because it assumed you had a smartphone. That said, I know that argument is limited, and this is an important feature so hearing more about the two-factor authentication folks currently use, and what works best would be very useful.
I think the key thing is that it’s optional and not a required but simply recommended practice. The problem with Clef is that it was aggressive in promoting itself in the Dashboard essentially overriding the default WordPress experience and confusing people. For this implementation with Portal and cPanel whatever we use would need to just be a setting that can be turned on for those that want to have it but not enabled by default.
Thirding this. I’ve come to rely on 2 Factor Auth. It’s also true that SMS for 2 Factor does have a concerning potential “man in the middle” attack surface (another reason an alternative to SMS might be good). See: So Hey You Should Stop Using Texts for Two-Factor Authentication | WIRED
Documentation to come, but if you go to Client Area - Reclaim Hosting (Security tab after clicking dropdown under your name in top right and going to Detail view) you’ll find it :).
@dajbelshaw I think you’ll probably want to see this update too ^