Why Doesn’t CPanel Offer Two Factor Authentication?

Why Doesn't CPanel Offer Two Factor Authentication?Earlier this month CPanel announced the release of version 11.48 of their popular Web Hosting Control Panel.

CPanel is one of the most popular hosting control panels available, and its success is largely down to its intuitive interface and ease of use.

The latest version comes with MariaDB databases, increased mailbox sizes on 64-bit installations and reinforced security.

cPanel & WHM 11.48 includes a stronger, more comprehensive security package that incorporates the latest in OWASP ModSecurity rules. With the addition of updates to our brute force protection system, cPHulk, this version promises to be our safest, most secure release to date.

Sadly, despite the advances in security, CPanel still doesn’t offer two factor authentication on its login form. Two factor authentication comes in several forms but basically means that you verify who you are on top of entering your username and password. This second factor of authentication is a code entered into the login form that the user receives in the form of a text message or from an app on their smart phone. This code has a lifespan measured in seconds before it expires and can’t be used again.  It basically affirms that as well as having the correct username and password (a method increasingly seen as outdated in online security), the user is who they say they are because they have a pre-setup system of proving it. Any malicious user now needs the correct username, password and the authenticated user’s mobile / cell phone.

While not 100% fullproof, it is a major layer of additional protection on personal security. It’s available on many online services including banking, social networks, developer tools, domain registrars, e-mail, retail, etc. etc. – the list goes on and continues to increase. For a comprehensive list of the most popular platforms offering two factor authentication see https://twofactorauth.org/.

What with much of the hosting / web industry, such as domain registrars, providing two factor authentication CPanel’s offering is definitely conspicuous by its absence. It also seems bizarre at best that you need to log into CPanel to remotely connect to your hosting’s MySQL service when your home (dynamic) IP address changes, and that there are password strength indicators for new mailboxes – yet you still only need a simple username and password to access your website’s / web hosting’s control panel.

CPanel could, if they wanted to, “piggyback” onto a service such as Google’s Authenticator in order to cut down on development costs to provide this. Meanwhile the CPanel community itself has been calling out for two factor authentication now for over two years.

Personally I feel that this sort of facility is longe overdue. What other well known platforms out there are seriously in need of this sort of thing?