2 factor not being enforced consistently via http

[maestroc]

I switched on two factor the other day both for SSH and for WHM access. I have noticed that if I do not click the logout button in WHM when I am done (just close the window) then the next time I go to log into WHM it doesn't ask me for the second factor. Even if it is many hours since the last time I logged into WHM it asks me for my password but it doesn't ask for the second factor unless I have logged out previously by clicking the logout button.

Surely this isn't the way it is supposed to work? Is there some way to force it to ask for 2nd factor every time regardless?

 

[cPanelMichael]

Hello @maestroc,

WHM is detecting the session-cookie stored in your web browser from the prior successful two-factor authentication attempt. Internal case CPANEL-9113 is open to request an improvement to the two-factor authentication functionality so that users are prompted for both the username/password and two-factor authentication anytime a new authentication attempt is performed. I don't have a time frame or a decision to note on this case at this time, but I've added a link to this forums thread to the case and will update this thread with more information as it becomes available. There's no available workaround to implement this functionality at this time.

Thank you.