Two-Factor Authentication in SPanel

It’s always a bit shocking to find out that one (or more) of your online accounts has been compromised because hackers have managed to guess your passwords. The truth is, in most cases, this sort of incident should surprise no one.

Statistics show that as many as 1 in 4 users are prone to protecting their online accounts with passwords like “123456” or “qwerty”. This really makes hackers’ lives easier. We don’t want that, so we’ve been working on a proven security feature that protects our SPanel users.

It’s called two-factor authentication (or 2FA), and it’s now available on all VPS solutions running our proprietary control panel.

What is Two-Factor Authentication?

Usernames and passwords have been around since the 1960s and are an integral part of our online lives. Even now, so many decades after they first appeared, we still use them for anything from checking our emails to managing our money.

However, in recent years, we’ve realized that passwords are not perfect, and we’ve been looking at additional methods for keeping our online data safe. Two-factor authentication is still a relatively new concept, but its popularity is growing, and more and more vendors are starting to implement it.

Its name comes from the fact that the system verifies your identity after taking into consideration not one but two factors. In addition to the username and password, you need to provide a second piece of information when logging in. Usually, it consists of a temporary code that, in SPanel’s case, is generated by a smartphone application.

Therefore, the 2FA feature verifies that you are who you say you are by confirming that you have access to (and can unlock) your smartphone.

Why Do We Need Two-Factor Authentication?

Put simply, we need two-factor authentication because people are not very good with passwords.

The average internet user has close to 100 online accounts, and there’s absolutely no way anyone would be able to create and memorize so many strong and unique passwords.

That’s why many users opt for easy-to-type and -remember strings like “123456”. Needless to say, these passwords can be cracked in the blink of an eye. Other users try a bit harder and use things like their dogs’ names, which isn’t really helping.

During their brute-force attacks, hackers employ lists with millions of entries consisting of both common passwords and popular words we use in our everyday lives. Their botnets can make hundreds of thousands of guesses every second, so it won’t be long before your favorite sports team’s name comes up.

Some people understand that only truly random passwords can protect your account effectively. They put time and effort into creating and memorizing a suitably strong password, but they then go ahead and use it on all their accounts.

The problem with this is that a data breach at one online service exposes details that can lead to the compromise of accounts at multiple others. In fact, this type of brute-forcing is so common, it has its own technical term – credential stuffing.

You can find password management solutions that encrypt and store all your passwords in a single place, but adoption levels show that people are still not used to the “all eggs in one basket” approach.

The problem is clear enough, and so are the reasons behind it. Many people say that the only way to solve it is to find a better alternative to the username-and-password system. However, at this point, we simply don’t have it, so the only thing we can do is introduce another component to the verification process. This is what 2FA does.

With two-factor authentication, hackers can’t compromise your account with a simple username-and-password combination. They need additional data that should be inaccessible to them if the 2FA system is implemented correctly.

For example, the code (sometimes referred to as token) you’ll need to provide in order to log in to your SPanel account is generated on your smartphone. When 2FA is activated, your phone and SPanel use complex cryptography to synchronize the tokens without transmitting them over the internet. Hackers can’t intercept or guess the codes because they are refreshed every 30 seconds.

Let’s see how it works in action.

How To Use SPanel’s 2FA Feature

Our new two-factor authentication feature is available to anyone on an SPanel server. This includes administrators, account owners, sub-users, and even webmail users. To make the option available, you simply need to flick a toggle switch inside SPanel’s admin area.

Enabling 2FA in SPanel

Log in to your SPanel Admin account and go to Server Settings. Enable the Two-Factor Authentication (2FA) toggle and click Apply to make the option available for people with access to your server.

Bear in mind that this only activates the feature on the VPS. It’s up to admins and account owners to decide whether they want to use it. You can also use the two toggle switches below to make 2FA a part of your security policy.

With the first one, all admin accounts, including yours, will be forced to use two-factor authentication. The second toggle switch enables 2FA for all other users. This includes account owners, sub-users, and people who check their emails via SPanel’s Webmail feature.

If 2FA is not enforced, every admin user, account owner, and sub-user can enable it by clicking on their username in the top-right corner of the screen and selecting Manage 2FA.

Here’s what it looks like in the Admin Interface:

And this is what you see in the User Interface:

Webmail users can turn on 2FA on their own by going to the Webmail login page and deselecting the Automatically load Rainloop webmail checkbox.

After they enter their email address and password, they’ll see a list of options for controlling various aspects of their email accounts. Among them is the 2FA option.

The interface is the same for all users, and it’s about as simple as it gets. You have a single toggle switch and a Save button.

If you have full access to the Admin Interface, you can enable 2FA for individual users. Simply open the Actions drop-down next to the account you want to modify and select Manage 2FA.

Similarly, if you own an SPanel user account, you can enable 2FA for sub-users from the Manage Users section.

Using 2FA in SPanel

Configuring your phone to generate 2FA tokens is just as straightforward. Your first job is to install a 2FA application on your phone or tablet. There are a few alternatives, but unless you have personal preferences for a particular one, Google Authenticator is probably your best bet. It’s available on Google Play and the App Store, it’s lightweight, and it’s easy to install.

With the app set up on your phone, you can go back to SPanel, enable the 2FA toggle switch, and click Save.

SPanel will load a new page with a setup key and a QR code.

Open Google Authenticator on your mobile device and click the + button in the bottom right corner. You can enter the setup key manually, but if you have a working camera, you’ll most likely prefer to scan the QR code.

The QR gives Google Authenticator all the required information, and the app starts generating 2FA tokens immediately.

Next to your token, there’s an indicator showing you how much time you have before it refreshes.

The last thing you need to do to activate two-factor authentication for your account is to enter a valid 2FA token in the field below the QR code SPanel displays.

With two-factor authentication enabled, SPanel will ask you for a valid 2FA token every time you try to log in to your account.

Conclusion

The humble password has failed us far too many times to be considered a secure form of authentication, especially now, when password cracking tools and spilled login credentials are so easy to come by. However, for all its faults, we’re unlikely to see the back of the traditional login system any time soon.

That’s why we need all the help we can get to make it more secure. Two-factor authentication may not solve all your security problems, but it could very well be enough to stop an advanced brute-force attack.

In light of this, it makes no sense to ignore it.

FAQ

Q: What is two-factor authentication?

A: Two-factor authentication (or 2FA) is a security mechanism implemented during the login process that requires an additional token before it signs you into your account. This token usually comes in the form of a temporary code sent to you via email or text message or generated by an application on your smartphone.

With 2FA enabled, the username and password combination isn’t enough to give you access to your account.

Q: Is 2FA available for all SPanel users or for admins only?

A: Two-factor authentication can be used by everyone on an SPanel server, including admins, account owners, and sub-users. It can even be used for webmail logins. As a server owner, you can activate 2FA for individual accounts or force it on users or admins.

Q: How are SPanel 2FA tokens generated?

A: SPanel uses six-digit codes generated by Google Authenticator (or another compatible application) – a 2FA mobile application designed specifically for this purpose. You can configure Google Authenticator to work with your SPanel account simply by scanning a QR code.