New to the community? Start here

[Defender Pro] 2FA: Login with email verification

1

This is not a new feature: right now you can enable 2FA and there is an option to use email as a fallback. If you do not set up any other 2FA option, you will have to login by verifying a “temporary password” that is sent to your email.

I suggest you re-introduce this feature as a new two factor authentication method that’s enabled by default for all users. This way, no user will have to download and setup 2FA – they won’t even know that’s enabled by default!

I’m sure you’ve already encountered what I’m talking about on other sites, like DigitalOcean, that send you a temp code to your email in order to login even if you don’t have any 2FA method enabled.

Defender already has this option. You just have to introduce it as a new feature that’s enabled by toggling a button. Just rebrand it and change some of the wording.

It is very easy to implement by you, it drastically improves the security and us -developers- won’t have to inform the clients/users how to setup 2FA with an authenticator app.

Tue, 1 Nov 2022 9:35:09
More Defender Pro discussions
Defender Pro
  • Nithin Ramdas
    • Support Wizard

    Hi Isidoros Rigas ,

    You could use the “Config,” i.e. under Defender Pro > Settings > Configs to configure the “Force users to log in with two-factor authentication” feature in Defender Pro > 2FA so that by default users will have to configure 2 FA.

    The idea of “Configs” is to address different types of use cases based on your website needs, so you don’t have to stick with any one specific setting provided out of the box on the plugin side:
    https://wpmudev.com/docs/wpmu-dev-plugins/defender/#configs

    However, the above feature will only force the users to set up any of the available 2FA features and not the Email by default. Could we know whether you have considered using Configs? Doesn’t that help with addressing the security? As using Web Authentication or an Authenticator app would be more secure when compared to Emails which can be left for users to decide.

    Looking forward to your response so we can check further regarding improving the workflow.

    Kind Regards,
    Nithin

    • Isidoros
      • Eeriee

      Hi Nithin,

      Thanks for the reply but this isn’t what I’m talking about. I think I haven’t been perfectly clear.

      Here’s how the proposed feature works:

      1. The admin enables 2FA with email verification.
      2. When a user enters their username/password to login, it prompts them to enter a verification code sent to their email.
      3. They enter the code and they are in.

      This is an alternative 2FA method to the existing method that relies on an authenticator app. Enabling “2FA with email verification” will force all users to login by entering the verification code whether they have 2FA or not.

    • Isidoros
      • Eeriee

      Please note if the Authenticator App is not configured but the Email Fallback option is enabled, when a user tries to log in, it will prompt to enter a verification code emailed to the user’s email ID

      Exactly. I’m not saying it’s more secure than the “Authenticator App” method, but it’s a great alternative for admins and users who do not want to set up an Authenticator App.

      Non-tech savvy people hate Authenticator apps and my proposed feature would make logging in infinite times more secure than… nothing. Right now, if they don’t set up 2FA nothing protects them from compromised passwords. With my proposed feature, the hacker/attacker wouldn’t be able to login without access to the admin’s email, even if they knew the site’s password.

      This feature could be turned on with the switch of a toggle and it would be applicable to all users and admins. The 2Fa with “Authenticator App” would still be an extra step for “max” security.

  • Nithin Ramdas
    • Support Wizard

    Hi Isidoros Rigas ,

    With my proposed feature, the hacker/attacker wouldn’t be able to login without access to the admin’s email, even if they knew the site’s password.

    I do understand you. However, this shouldn’t be the case if you have the “Force users to log in with two-factor authentication” option enabled in 2FA settings.

    The above option in the plugin allows users to set up what they want rather than setting up email by default as a fallback. So the user will have a choice to enable only email if they want via their Profile or configure Web Auth or Authenticator if needed etc.

    At the moment, users can enable Email, TOTP or Web Auth. Enabling any of these features individually should work fine.

    So what you have mentioned is already possible; the only difference in it gives the users a choice on whether they only want to enable Email, Authenticator or Web Auth.

    So I’m not sure how well a separate feature to force the users to use a email fallback would be helpful in such a case.

    However, I have already shared your feedback with our Defender team’s attention regarding your request to check and consider whether we could make further improvements on the plugin side for such a workflow.

    Kind Regards,
    Nithin

    • Isidoros
      • Eeriee

      Hi Nithin,

      So what you have mentioned is already possible

      Exactly! It’s already there. You just have to re-brand it as an alternative method to the Authentication App.

      the only difference in it gives the users a choice on whether they only want to enable Email, Authenticator or Web Auth

      No… I’m talking about email verification only! There would no set up necessary for this. Just enable it and forget it. The next time a user would try to login, they would have to verify the code sent to their email.

      So I’m not sure how well a separate feature to force the users to use a email fallback would be helpful in such a case.

      It’d be useful for two reasons:

      A) The wording for “email fallback” is wrong. The message you get at the log in screen must be different. Right now it says: “Can’t access your device? We’ve sent a passcode to your fallback email address. Enter it below to log in to your account.” It sounds wrong for the use case I propose.
      B) The current feature requires users to choose an authentication method and it may be overwhelming for non-tech savvy people. Also it’d be better if you explained them what to do and how everything works. With my proposed feature, they wouldn’t even know that 2FA with email verification is on.

      However, I have already shared your feedback with our Defender team’s attention regarding your request to check and consider whether we could make further improvements on the plugin side for such a workflow.

      Thank you.