I would like to add a vote towards MFA / 2FA support in Manager.
This has been requested a few times:
- September 2016 - Any plans for 2FA support on the cloud version?
- August 2020 - 2fa for manager.io server
- March 2023 - (the thread you’re looking at now)
The response from lubos in 2016 was as follows:
That was 7 years ago.
A major benefit of 2FA is that even if someone does know your username and password, and they do know your domain name, they still cannot login if they’re forced to enter a multi-factor code when logging in from an unrecognised IP address.
Since Manager is an accounting system, the damage that could be done by unauthorised access could be quite harmful to the reputation of a business, and the privacy of their customers.
The only suitable alternative for 2FA that is already available would be for a business to host Manager Server on an internal network and lock it behind a private VPN. However that is technically complex to set up and maintain, and it only suits those using it for internal use - if clients need to access it as well, it’s not a practical option.
There’s a few ways to go about implementing it:
- The most common (and secure) form of 2FA is an auto-generated code in an app like Authy or Google Authenticator.
- However, a simpler alternative to implement technically - like sending a code to an email address when a new IP address is detected for a user - would also be a huge step up in security.
Please revisit this as a possibility. I’d love to see at least an email-based implementation.