Announcement: 2FA support is available on Control Panel

[iraqiboy90]

It's about time!
Thanks.

I see no threads announcing this, so I though I write this in the General section so more people activate it..

[Naleksuh]

Yes, it has been available and infact it was forcefully enabled for any account that hadn't logged in between 2022-03-19 and 2023-03-19. Which is sad because it can lock people out of their accounts permanently if they no longer have access to their email, like what happened with Neopets

[Edge100x]

Naleksuh, you forgot that if a customer no longer has access to email, the account can still be recovered through any valid payment source. So, any customer who has a current service will be able to readily regain access.

Losing access to your email account is still a huge deal and will cause all sorts of problems, of course. We have always used email as an extra verification step for important tasks such as transferring a service or recovering an account password.

I don't know what you are referring to with "Neopets".

[Naleksuh]

It's just a similar thing that happened. Neopets forced a password reset for all accounts, and if you no longer had access to your email you were permanently locked out.

I was under the impression that password resets via payment source had been removed. Is it put back? I do not see the option on https://www.nfoservers.com/control/lostpassword.pl

[Edge100x]

Passwords are not reset through a payment source and that has never been the case. Accounts can, however, be recovered through a payment source, and the option is available on the login page. It is listed as "Recover login name or lost email access".

It was important to turn on 2-step verification for old accounts because we saw several cases of an attacker logging into a dormant customer account, applying reused credentials found elsewhere, and then using an existing payment source to purchase new services. In a couple of these cases, the customer did not check the linked email account to see the order emails, and did not contact us; we only found out that the activity was unauthorized later, through credit card chargebacks. Simply requiring an extra verification step for ancient accounts has significantly decreased the ability for attackers to do this, protecting customers and our company, without any loss of functionality.

[Naleksuh]

Ah, I was looking at the buttons for the mini login form on the homepage. It is a bit confusing that there are two ways to log in, but I found it now

[Edge100x]

We're also here to provide service and help with instructions or other assistance if any user can't access services.

iraqiboy90, I've made an official post now, as well!

[Decicus]

A bit late to the party, but my suggestion for authenticator 2FA (aka TOTP) would be to have a form input where the user can input the generated 2FA code.

Could also get rid of the 30 minute timer of displaying the QR code / TOTP secret if the user has verified they can generate valid codes.