Questions about enabling Two-Factor Authentication

[FrankP]

Hello,

I was looking forward enabling 2FA for some accounts on my WHM server, i created accounts by creating domains such as username.user because in the documentation about creating a domainless user there was a warning discouraging people from creating those for administrator accounts as it may break something so i am unsure it was appliable for what i wanted to do so enlightenment on this matter would be appreciated but my main question was :

On this page Two-Factor Authentication for WHM - Version 74 Documentation - cPanel Documentation

There is a warning telling :
Warning:

This feature may cause some third-party applications to break significantly, and may cause applications to improperly store data.

I wanted to know if turning on 2fa and enabling it only on my username.user accounts could potentially present any risks for my other account's websites.
Also, can I enable 2FA on my root account and what would be my strategy if it's 2nd factor was to break? Can other accounts deactivate 2fa for root?

Thank you very much for your time.
If something is unclear feel free to try and reform my question as english is not my first language.

 

[cPanelMichael]

Hello @FrankP,

I wanted to know if turning on 2fa and enabling it only on my username.user accounts could potentially present any risks for my other account's websites.

Two Factor Authentication is only applicable with cPanel and WHM logins at this time. It's not enforced when logging in to other services (e.g. SSH, FTP). Enabling it will not restrict access to individual websites served via Apache.

Also, can I enable 2FA on my root account and what would be my strategy if it's 2nd factor was to break? Can other accounts deactivate 2fa for root?

You could access the server via SSH as root and disable 2FA using the command below:

whmapi1 twofactorauth_disable_policy

Let me know if you have any additional questions.

Thanks!

 

[FrankP]

@cPanelMichael
Thank you, So i guess activating the 2FA for the root account isnt really giving an additionnal layer of security unless SSH was only possible from some IPs then?

 

[cPanelMichael]

Thank you, So i guess activating the 2FA for the root account isnt really giving an additionnal layer of security unless SSH was only possible from some IPs then?

Hello @FrankP,

It adds an additional layer of security to cPanel & WHM access attempts, but it's not applicable to SSH. If you'd like to secure SSH, check out the tips on the document below:

How to Secure SSH - cPanel Knowledge Base - cPanel Documentation

Thank you.

 

[xxwillc]

Hi new to the forum here

I had 2fa on whm tried to disabled it by ssh

mv -v /var/cpanel/authn/twofactor_auth/tfa_userdata.json{,.bak}; echo ‘{}’ >> /var/cpanel/authn/twofactor_auth/tfa_userdata.json

now i'm stuck with err500

 

[cPanelMichael]

Hello @xxwillc,

You can run the following command to disable two-factor authentication:

whmapi1 twofactorauth_disable_policy

Thank you.