Page 1 of 1

2FA

Posted: 05 Nov 2022, 18:44
by ed_f
do you have 2FA on your joblist? would be a good thing - best with authenticator (6digits).

Re: 2FA

Posted: 06 Nov 2022, 01:37
by mjau-mjau
This would be a welcome feature of course. Realistically, it would be part of X4, in our files.gallery app, once it is entirely adapted to be used as the future X3 control panel.

Re: 2FA

Posted: 21 May 2025, 06:15
by ed_f
as this still does not exist I have 2 questions: would that really be needed, is it really necessary? how are other website-accesses secured?

Re: 2FA

Posted: 21 May 2025, 22:27
by mjau-mjau
ed_f wrote: as this still does not exist I have 2 questions: would that really be needed, is it really necessary? how are other website-accesses secured?
Depends. Personally, I don't use it and don't really need it. Normally, if your password is strong and you don't leak it to anyone, nobody will be able to get past the login. 2FA just provides an additional "paranoid level" security, which makes it virtually impossible. I'm not against it, but it simply might not be necessary.

If you rename the panel to "mysecretpanel", then who is even going to know where it is? Nobody can hack their way into a login-protected area if they have no idea it exists. This isn't useful when there are many users who want to login, but it's an effective additional level of security if you are only one or a few panel users.

Personally, I use Cloudflare access, which is probably at least as secure as 2FA, with the additional layer of Cloudflare securing your website.

Re: 2FA

Posted: 21 May 2025, 23:54
by JMM
mjau-mjau wrote: 2FA just provides an additional "paranoid level" security, ...
I guess then that I'm in the paranoid class... I use 2FA to access my logins on every site that offers 2FA (about 200 or so sites).
mjau-mjau wrote: If you rename the panel to "mysecretpanel", then who is even going to know where it is? Nobody can hack their way into a login-protected area if they have no idea it exists.
Excellent point.  That's exactly what I did a couple of years ago... I changed all of my panel names, and even went as far as having different (unique) panel names for each of my seven X3 sites  :sunglasses:.  And my passwords for all Internet sites that I access are unique, and 70-characters long, ... overkill, yeah, I know, but again, I'm paranoid  :upside_down:.

But I understand why X3 admin logins should be secure without 2FA, provided security precautions are adhered to.

Re: 2FA

Posted: 22 May 2025, 03:56
by mjau-mjau
JMM wrote:
mjau-mjau wrote: 2FA just provides an additional "paranoid level" security, ...
I guess then that I'm in the paranoid class... I use 2FA to access my logins on every site that offers 2FA (about 200 or so sites).
Nothing wrong in being "paranoid" about web security, considering the internet is literally flooded with hackers and malicious bots. It's good practice. My reply was just objectively answered specifically for the question. In reality, if your password is long/strong enough, nobody can hack the X3 login, and if you rename the panel, no hackers will even be trying. Not everybody wants to spend extra time opening an authenticator app on their phone or scanning QR codes every time they want to login, me included. That's why I prefer using Cloudflare and simply obscuring the login (which is something you can take advantage of if there aren't loads of users that need a fixed "known" login url).

But as noted, there is nothing wrong in applying paranoid-level security to all your logins, just for best practice.

Re: 2FA

Posted: 22 May 2025, 17:02
by ed_f
thank you, good points, both. btw: although I am the starter here I do not receive messages about posts, although this thread is in my list of watched topics and notifications as emails are „on“. no, no „spam“ either. what is to be done to get notes?

Re: 2FA

Posted: 22 May 2025, 21:55
by mjau-mjau
ed_f wrote: although this thread is in my list of watched topics and notifications as emails are „on“. no, no „spam“ either. what is to be done to get notes?
Hmm, I might need to look into emails notifications. I'll look into it within a few days ...