SOLVED App for Android bypassing 2FA

ijsaul

Member
Feb 19, 2015
8
1
3
cPanel Access Level
Root Administrator
Hello All,

I recently revisited my interest in trying to manage some basic functions for my WHM servers via Android app, and the below one seemed to be decently rated in the Google Play Store. I recalled having read how these apps may not function correctly with 2FA enabled, so I wasn't expecting too much.

However, I was VERY surprised to see that by using this app along with root password alone, I can login and manage quite a few things on both of my serves, COMPLETELY bypassing the need for 2FA.

I was under the impression that two-factor was enforced for all root logins, so how is this possible?

- Removed -
 
Last edited by a moderator:

ijsaul

Member
Feb 19, 2015
8
1
3
cPanel Access Level
Root Administrator
Thank you, I'm certainly aware that the app I posted was not affiliated with cPanel.

I'm wondering how it is possible that this application is bypassing what I thought was a requirement for login, namely 2FA.

This seems like a security concern to me.
 

ijsaul

Member
Feb 19, 2015
8
1
3
cPanel Access Level
Root Administrator
It is enabled, and has been a requirement for login on this server.

What I'm saying is that this application is bypassing my enabled 2FA.

How is bypassing 2FA possible.
 

ijsaul

Member
Feb 19, 2015
8
1
3
cPanel Access Level
Root Administrator
I understand.

Thank you for the direction.

You may want to leave a link to the application with a note, as this app may be a security concern to others, and having this information out there would be useful.

I'll explore with support and provide follow up later on.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,917
2,248
363
Hello @ijsaul,

You'll need to access WHM >> Configure Security Policies to extend the Two-Factor Authentication security policy to API requests. This will ensure it's enforced for third-party applications that make use of API calls for login purposes. You can read more about this option at:

Configure Security Policies - Version 76 Documentation - cPanel Documentation

Let me know if you have any questions.

Thank you.
 
  • Like
Reactions: Infopro