Is there any ideas to add any type of 2FA / MFA to manager logins in the pipe line?
and on top of that, is it possible force minimum password lengths for users (e.g 8 characters with a number)
and upon this further, is there any thoughts on creating session lock outs so that users can not stay logged in perpetually to a device after logging in once?
It’s recommended that you post each individual question in its own separate post, this way it could get all the attention it needs and might make it into
Yes, there is already an idea to introduce 2FA but it isn’t a priority. See this post 2fa for manager.io server
There are no password rules in Manager right now.
Auto session control isn’t required since the risk of cookie theft risk is negligible for the Https protocol. However, manual session control is available for each user. Administrators can also terminate other users’ sessions using the
I think that auto session control is a must in work places where hot-desking is practiced or where open office policy exists because accounting data is often seen as sensitive and restricted. Not everyone remembers or finds it convenient to log out and log in over and over again and as such auto-session control mitigates this issue and keeps everyone alert about the type of data they are handling.
I’m not opposed to auto logouts, I’m just providing additional context.
While the case you provide is valid @eko, I still believe that micro-managing sessions to the minute is a bad idea.
One loophole in this is that even if a session is automatically closed, the browser would simply autofill the password again. So until 2FA is implemented, auto logouts are useless.
The workaround (or solution as I see it) is for the user to logout the computer.
But to be honest, cookies that expire every 12 hours or so isn’t a bad idea. Since I can’t untangle this topic, I will create a separate idea for it.
I would like to add a vote towards MFA / 2FA support in Manager.
This has been requested a few times:
- September 2016 - Any plans for 2FA support on the cloud version?
- August 2020 - 2fa for manager.io server
- March 2023 - (the thread you’re looking at now)
The response from lubos in 2016 was as follows:
That was 7 years ago.
A major benefit of 2FA is that even if someone does know your username and password, and they do know your domain name, they still cannot login if they’re forced to enter a multi-factor code when logging in from an unrecognised IP address.
Since Manager is an accounting system, the damage that could be done by unauthorised access could be quite harmful to the reputation of a business, and the privacy of their customers.
The only suitable alternative for 2FA that is already available would be for a business to host Manager Server on an internal network and lock it behind a private VPN. However that is technically complex to set up and maintain, and it only suits those using it for internal use - if clients need to access it as well, it’s not a practical option.
There’s a few ways to go about implementing it:
- The most common (and secure) form of 2FA is an auto-generated code in an app like Authy or Google Authenticator.
- However, a simpler alternative to implement technically - like sending a code to an email address when a new IP address is detected for a user - would also be a huge step up in security.
Please revisit this as a possibility. I’d love to see at least an email-based implementation.