Support for multi-factor authentication

This is not a working solution.
The only real long term solutions are either:

• Possibility to disable Administrator account fully (from another administrator account with MFA)
• Or enable MFA also for Administrator account

thanks for the update, but I also think the Administrator needs to have 2FA enable, otherwise this is not a full solution. thanks for the update though.
cheers

Agree with @mulder !

We need definately make Admin account protected by 2-factor authentication

Admin account connected with payment portal and has huge role in users’ management

How we can set same for Administrator?

@BizProo.com this discussion already made clear you can not, but we are asking to consider it. There is no need to spam the forum about it, points made and taken.

I am asking a question not spamming !

echoing this as a request . please. if all else, allow for disabling web based authentication for administrator account. thank you for your consideration

for anyone else looking to add a little security, what I have managed to do is basically host my own server and put it behind cloudflare - zero trust and turned on device authentication . this way you can even apply session timeout (missing from manager.io).

Is there any ideas to add any type of 2FA / MFA to manager logins in the pipe line?

and on top of that, is it possible force minimum password lengths for users (e.g 8 characters with a number)

and upon this further, is there any thoughts on creating session lock outs so that users can not stay logged in perpetually to a device after logging in once?

Hi @fromtheshadows,

It’s recommended that you post each individual question in its own separate post, this way it could get all the attention it needs and might make it into ideas category.

Anyways,

1. Yes, there is already an idea to introduce 2FA but it isn’t a priority. See this post Support for multi-factor authentication

2. There are no password rules in Manager right now.

3. Auto session control isn’t required since the risk of cookie theft risk is negligible for the Https protocol. However, manual session control is available for each user. Administrators can also terminate other users’ sessions using the impersonate feature.

I think that auto session control is a must in work places where hot-desking is practiced or where open office policy exists because accounting data is often seen as sensitive and restricted. Not everyone remembers or finds it convenient to log out and log in over and over again and as such auto-session control mitigates this issue and keeps everyone alert about the type of data they are handling.

I’m not opposed to auto logouts, I’m just providing additional context.

While the case you provide is valid @eko, I still believe that micro-managing sessions to the minute is a bad idea.

One loophole in this is that even if a session is automatically closed, the browser would simply autofill the password again. So until 2FA is implemented, auto logouts are useless.

The workaround (or solution as I see it) is for the user to logout the computer.

But to be honest, cookies that expire every 12 hours or so isn’t a bad idea. Since I can’t untangle this topic, I will create a separate idea for it.

I would like to add a vote towards MFA / 2FA support in Manager.

This has been requested a few times:

• September 2016 - Any plans for 2FA support on the cloud version?
• August 2020 - Support for multi-factor authentication
• March 2023 - (the thread you’re looking at now)

The response from lubos in 2016 was as follows:

That was 7 years ago.

A major benefit of 2FA is that even if someone does know your username and password, and they do know your domain name, they still cannot login if they’re forced to enter a multi-factor code when logging in from an unrecognised IP address.

Since Manager is an accounting system, the damage that could be done by unauthorised access could be quite harmful to the reputation of a business, and the privacy of their customers.

The only suitable alternative for 2FA that is already available would be for a business to host Manager Server on an internal network and lock it behind a private VPN. However that is technically complex to set up and maintain, and it only suits those using it for internal use - if clients need to access it as well, it’s not a practical option.

There’s a few ways to go about implementing it:

• The most common (and secure) form of 2FA is an auto-generated code in an app like Authy or Google Authenticator.
• However, a simpler alternative to implement technically - like sending a code to an email address when a new IP address is detected for a user - would also be a huge step up in security.

Please revisit this as a possibility. I’d love to see at least an email-based implementation.

Any updates on MFA / 2FA?

There is 2FA for users but not for Admin, search the forum before posting.

I read the forum! I am asking if and when will the admin MFA be implemented? As this is a serious security issue, and if You read above people have been asking for it for a few years!