Two Way Authentication

[Rene Nusse]

Is “Two Way Authentication” available now or in the future?

[AITpro Admin]

I am planning on adding a Two-Factor Authentication (2FA) feature in BPS Pro 16.1.  BPS Pro currently has JTC Anti-Spam|Anti-Hacker and Login Security and Monitoring for Login protection.

[AITpro Admin]

I’ve decided against adding a 2FA feature in BPS Pro after researching this extensively. The primary reason for not adding a 2FA feature is that there is not enough demand for it. There are several WordPress 2FA plugins available to choose from. If you run into a conflict or problem with a 2FA plugin and BPS Pro then let me know which 2FA plugin that is.

[Laurent]

Hi Edward,

Has your position changed on the 2FA matter since 2021?

People in FB groups tend to unanimously say that this is now standard best security practice.

I just installed BPS Pro on a website where the free plugin FluentAuth was already installed to have the 2FA authentification feature.

But their 2FA feature only works if FluentAuth also handles the “Login Try Limit per IP address” thing.

So should I turn off the Login Security feature of BPS Pro if I want to use 2FA?

If I do so, I guess I won’t be able to use your nice JTC feature too (EDIT: JTC is independent from your Login Security feature so that’s cool).

Let me know what’s your take on this. (EDIT: Thus let me know if 2FA is really a feature that improves the security when you have the full security package of  BPS Pro for the login process).

Best,

Laurent

[AITpro Admin]

Yep, turn off Login Security since 2FA will be handling the login process.  JTC is an independent feature so it will either work or won’t with your 2FA plugin.  The only way I would consider adding a 2FA feature is if someone could choose to have new subscribers not have to deal with 2FA, which kind of negates the primary reason for 2FA.  If someone has a website that only they login to then 2FA makes sense.  If on the other hand you have a Store that sells products and users register before or at purchase then 2FA does not make sense.

[Laurent]

Thank you Edward. For people interested, know that the 2FA feature of FluentAuth works perfectly with JTC.

[Laurent]

By the way, why do you say it doesn’t make sense?

2FA authentication is only triggered when you log in, not when you register, so it won’t lead to a drop in the registration rate if that’s what you’re worried about.

Also, from the user’s point of view, this kind of functionality shows that the website cares about the security of their user accounts (and personal information).

Have I missed something in your thought process?

[AITpro Admin]

Ok so let’s say a 2FA feature was created that auto-generated passcodes for any user who signed up to your site.  That means the typical usage of 2FA is negated because anyone can login to your site.  It is the same as not having 2FA. As far as gimmicks go people want the simplest and easiest transaction possible.  The less hassle they have to deal with the happier they will be and they will be return customers.  At my 9-5 IT job we use DUO Mobile 2FA.  25% of the IT tickets that I deal with every single day are problems with DUO Mobile.

[Laurent]

What I call 2FA here is to prevent a hacker from logging in with stolen credentials (id/pwd) by additionally requesting a 6-digit code via e-mail.

If the hacker doesn’t have access to the e-mail address to which the code is sent, they won’t be able to connect to the user’s account (and any sensitive user data).

So it’s more a protection for the user than for the site.

But thanks for sharing real data, it makes you think.

[AITpro Admin]

Oh I get where you are coming from now.  You are saying that the website that a person logs into would have credit card/personal info displayed in that account. That’s a scary thought.  That stuff should all be encrypted and definitely not displayed publicly or even privately.  I was assuming that a website would not display any personal data besides things like phone # or email address in the account someone logged in with.  Let’s say a thief stole someone’s credit card, logged into a site with 2FA and made some purchases.  When that thief signs up he will enter an email or phone # where 2FA will be sent too. That would not stop the thief from using someone else’s stolen credit card.

[Laurent]

The phone number can be sensitive data, as can the e-mail address if the hacker only has the id and password to log into the user’s account. 2FA would prevent them from accessing these if they are in plain text in the user’s dashboard.

But one could argue that while I’m very careful with my users’ data, there are plenty of other ways/places where their data can and will be compromised sooner or later.

[Laurent]

I just noticed that FluentAuth allows you to enable 2FA only for certain user roles only.

In this situation, we seem to have the best of both worlds:

• an extra layer of security for the account with administrator privileges (2FA enabled),
• a worry-free situation for subscribers who simply need to enter their id and password (2FA disabled).

[AITpro Admin]

Yep, that is the most logical usage to me.

[Author]

Posts