Announcement: 2FA support is available on Control Panel

This is used for general discussion that is not necessarily server-related.
Post Reply
iraqiboy90
New to forums
New to forums
Posts: 6
https://www.youtube.com/channel/UC40BgXanDqOYoVCYFDSTfHA
Joined: Wed Mar 03, 2021 11:58 am

Announcement: 2FA support is available on Control Panel

Post by iraqiboy90 »

It's about time! :D
Thanks.

I see no threads announcing this, so I though I write this in the General section so more people activate it..
Naleksuh
This is my homepage
This is my homepage
Posts: 298
Joined: Thu Jul 25, 2019 12:35 am

Re: Announcement: 2FA support is available on Control Panel

Post by Naleksuh »

Yes, it has been available and infact it was forcefully enabled for any account that hadn't logged in between 2022-03-19 and 2023-03-19. Which is sad because it can lock people out of their accounts permanently if they no longer have access to their email, like what happened with Neopets
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: Announcement: 2FA support is available on Control Panel

Post by Edge100x »

Naleksuh, you forgot that if a customer no longer has access to email, the account can still be recovered through any valid payment source. So, any customer who has a current service will be able to readily regain access.

Losing access to your email account is still a huge deal and will cause all sorts of problems, of course. We have always used email as an extra verification step for important tasks such as transferring a service or recovering an account password.

I don't know what you are referring to with "Neopets".
Naleksuh
This is my homepage
This is my homepage
Posts: 298
Joined: Thu Jul 25, 2019 12:35 am

Re: Announcement: 2FA support is available on Control Panel

Post by Naleksuh »

It's just a similar thing that happened. Neopets forced a password reset for all accounts, and if you no longer had access to your email you were permanently locked out.

I was under the impression that password resets via payment source had been removed. Is it put back? I do not see the option on https://www.nfoservers.com/control/lostpassword.pl
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: Announcement: 2FA support is available on Control Panel

Post by Edge100x »

Passwords are not reset through a payment source and that has never been the case. Accounts can, however, be recovered through a payment source, and the option is available on the login page. It is listed as "Recover login name or lost email access".

It was important to turn on 2-step verification for old accounts because we saw several cases of an attacker logging into a dormant customer account, applying reused credentials found elsewhere, and then using an existing payment source to purchase new services. In a couple of these cases, the customer did not check the linked email account to see the order emails, and did not contact us; we only found out that the activity was unauthorized later, through credit card chargebacks. Simply requiring an extra verification step for ancient accounts has significantly decreased the ability for attackers to do this, protecting customers and our company, without any loss of functionality.
Naleksuh
This is my homepage
This is my homepage
Posts: 298
Joined: Thu Jul 25, 2019 12:35 am

Re: Announcement: 2FA support is available on Control Panel

Post by Naleksuh »

Ah, I was looking at the buttons for the mini login form on the homepage. It is a bit confusing that there are two ways to log in, but I found it now
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: Announcement: 2FA support is available on Control Panel

Post by Edge100x »

We're also here to provide service and help with instructions or other assistance if any user can't access services.

iraqiboy90, I've made an official post now, as well!
User avatar
Decicus
Compulsive poster
Compulsive poster
Posts: 65
Joined: Thu Dec 05, 2013 1:55 am
Location: Norway
Contact:

Re: Announcement: 2FA support is available on Control Panel

Post by Decicus »

A bit late to the party, but my suggestion for authenticator 2FA (aka TOTP) would be to have a form input where the user can input the generated 2FA code.

Could also get rid of the 30 minute timer of displaying the QR code / TOTP secret if the user has verified they can generate valid codes.
Post Reply