Creating/enforcing two-factor authentication for your cPanel is one of the highly recommended steps you must take once your cPanel has been deployed.

2FA makes it harder for hackers to log in even if they successfully steal your password.

Typically the steps (once you have your mobile device and have booted up your laptop or computer - these two to configure two-factor authentication for your account) are as follows:

1. You select, download and install a two-factor authentication app.

Download and install either:

2. From your computer/laptop, you visit either cPanel > Security >> Two-Factor Authentication for cPanel 2FA or the security console for your billing account 2FA to start off the process.

3. You click on the "Get Started" button to open either the Authy or Google Authenticator or Microsoft Authenticator and select the "+" sign to add a new account. It will open the barcode scanner.

4. You click on the "Confirm" button to proceed. This will generate a bar code along with a secret key if you wish to add the code manually to your app.

5. You take a picture (recommended) using your smartphone camera, take a screenshot of the generated barcode and save it in a secure location under a name associated with the account.

This way, you can share the barcode with those you wish to give access to your billing dashboard and control panel since you can log in to your cPanel or Plesk panels via the billing system.

6. You then scan the barcode using the 2FA application you installed previously.

7. After you have scanned the bar code with your app, you will be presented with some numbers.

These numbers change every 20 seconds.

Type the numbers into the box named "Verification Step" and then the "Confirm" button.

8. You copy the presented backup code and save the backup code under the name of the account in a safe place (crucial) as you will need this in the event you lose access to your phone.

You can search our knowledgebase on how to get this implemented or configured by simply searching for the term "2FA" or "two-factor authentication".

 

cPanel Login Flow:

When you attempt to access your cPanel account, the cPanel login flow goes like this:

  1. You visit https://$domain.com:2083/ where $domain represents your actual domain
  2. You enter a username and the password
  3. The password you entered is checked against your username first.
  4. If the password matches, the login process next continues to the 2FA stage.

 

So once you have implemented 2FA on your account, the flow differs a bit:

  1. You visit https://$domain.com:2083/ where $domain represents your actual domain.
  2. You enter a username and password.
  3. The password you entered is checked against your username first.
  4. If the password matches, the login process next continues to the 2FA stage.
  5. You open the 2FA app on your device and type in the auto-generated one-time code which changes every 20 seconds.
  6. cPanel grants you access.

Now, every time you (or a malicious actor) try to access these accounts, the one-time code generated by your device will be required.

The response is incorrect, 2-Factor Authentication (2FA) will prevent the login until a code from the external device is validated.

After the implementation and for one reason or another you want to remove the 2FA, all you need to do is to click Remove Two-Factor Authentication.

 

Lost or Broken Device and 2FA:

But what happens if for some reason the device is lost, broken, or re-configured?

Or if you lose access to the backup code and/or didn't save the barcode that was used to configure the two-factor authentication settings for an account?

The best approach to resolving this is to reach out to our security team so the cPanel's 2Fa' can be disabled.

Or if you are with another web hosting service provider, their support team.

Why?

Well, because enforcement of 2FA is something that the server "root" admin will implement.

And as of this time, there is no other way to deactivate the two-factor authentication as a cPanel user without needing to go through whatever workflow the security team has in place for this scenario.

 

Contacting Security Team To Deactivate 2FA:

Of course, contacting the security team though means:

  • verifying that the request is from a customer with the right/permission to make such a request.
  • and responding to the verification call (or other account validation procedure(s)) from the SecTeam to you to prove that the request that you are who you say you are.

It is after these steps have been completed can the request be authorized and the two-factor authentication disabled so that you can log in.

 

What To Do If You Have Root Or Sudo Access:

If you are a private VM, VPS, or bare-metal customer with "sudo" or "root" access, you can remove this even without needing help from the security team.

This assumes that you have added and authorized an SSH public key from the local machine you normally use to access the machine to your cPanel & WHM server.

If you haven't, then you definitely need to contact the support team.

If you have, then all you need to do is to access your cPanel via the command line:

ssh $username@$PublicIPaddress

where:

  • $username is the default username for the instance (this can be root, cloud-user, ec2-user, opc, etc)
  • $PublicIPaddress is the IP address of the remote host machine

Once you are in, run:

uapi --output=jsonpretty \
    --user=username \
    TwoFactorAuth \
    remove_user_configuration

You will see something like this as a response:

    {
        "apiversion": 3,
        "func": "remove_user_configuration",
        "module": "TwoFactorAuth",
        "result": {
          "data": {
            "tfa_removed": 1
          },
          "errors": null,
          "messages": null,
          "metadata": {},
          "status": 1,
          "warnings": null
        }
      }

 

If you are to run the above command as a cPanel user, you will get the following response:

[2023-03-27 23:06:54 +0000] die [uapi] setuids failed: Attempting to setuid as a normal user 
die [uapi] setuids failed: Attempting to setuid as a normal user
exit level [die] [pid=408147] (setuids failed: Attempting to setuid as a normal user

Without going into the details of setuid, the above simply indicates that you as the user have to become either root or sudoer to run this command.

 

Note that this action will remove your account's existing 2FA configuration.

Thus any existing 2FA earlier configured will no longer be valid.

Once you have gotten the confirmation that 2Fa has been disabled:

  • remove the old saved barcode from wherever you saved it
  • access your cPanel
  • scroll down to cPanel > Security >> Two-Factor Authentication
  • reconfigure 2FA but taking into account the lessons of the past

 

If you are doing this for your "root" account, use the command below to regain access:

whmapi1 twofactorauth_remove_user_config user=root

 

To disable 2FA on the machine:

whmapi1 twofactorauth_disable_policy

 

To enable or re-enable the two-factor authentication (2FA) security policy on the server:

whmapi1 twofactorauth_enable_policy

If you need help getting this done, just let the security team know.

¿Fue útil la respuesta? 0 Los Usuarios han Encontrado Esto Útil (0 Votos)

Más Popular

How To View Your CPU Usage & Concurrent Connection In cPanel

When a customer hits limits, appropriate faults along with server processes snapshot are...
How To Manage Your File In cPanel With SFTP

First, ensure that you have installed an FTP client on your local machine before you download and...
How To Use SCP For cPanel File Management

SCP (Secure copy protocol) is a means based on the Secure Shell (SSH) protocol that you can use...
How To Locate Your cPanel Username & Password

In cPanel, cPanel users can access the cPanel interface via port:2083 or using a service domain...
What To Know About Changing Your cPanel Username

Can I change cPanel Username? We sometimes do get this question from some customers. Yes. You...