Built in 2FA is lacking badly

  • Hi,
    As much as I like the rest of the plugin, there is one thing that is lacking badly and this is the 2FA. Here’s the main functionalities a decent 2FA plugin should have :
    – TOTP as primary 2FA, email and statically generated backup codes as secondary.
    – “trust this device for X days” option
    – ability to allow 2FA options configuration through frontend pages (so – through shortcodes)

    A huge bonus would be support for third party logins, like “Theme My Login” and ajax login forms, but that’s really a bonus while those above are absolute minimum for a functional 2FA.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author gioni

    (@gioni)

    Hi!

    2FA is a security feature. And it’s implemented as a security feature that has to be implemented in a free version. The features you’ve described are mostly bonuses or “bells and whistles”. In other words, they are non-essential and they have nothing to do with security per se.

    In the professional version of WP Cerber, there are several additional 2FA settings you do not have in the free version. E.g. trust this device for X days, although it’s implemented a bit differently.

    Next, please note that TOTP is a form of 2FA. Some people like TOTP, some prefer traditional 2FA codes. As an additional security measure, they are similar.

    Regarding the front-end 2FA settings, this feature is already in WP Cerber’s backlog.

    WP Cerber does not support for third-party login forms. There is no such goal. Instead, we will offer a new feature soon. Stay tuned.

    Thread Starter joroabv

    (@joroabv)

    Hi,
    1. We most certainly are fully ok to pay for such kind of features. We’re currently using the free version as we’re more or less evaluating different options yet, but probably will go with the paid WP Cerber anyway, when we go to production of our project, as it is our main contender for now.
    2. I’ve checked the documentation (when I was looking if TOTP is supported in the paid version) and the options there are certainly very nice, but can’t compensate for the lack of TOTP. It is de facto standard nowadays and I strongly believe you should offer it (along with 10 recovery codes). You’re right that many people prefer email (or can’t handle TOTP), I know this from my own experience, that’s why it should be configurable – which one primary and which one secondary (if at all), but this can’t be a reason to not offering it as an option.
    3. Frontend settings – this is good news.
    4. 3rd party forms- now this is certainly “bells and whistles”, so I just mentioned it as nice to have. The reasoning behind it – would allow fully custom login experience, that’s all.

    Stay safe and keep up the good work.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Built in 2FA is lacking badly’ is closed to new replies.

Tags