How to configure two-factor authentication on ISPConfig

Procédure

What is two-factor authentication?

Two-factor authentication allows you to secure access to any account with a second barrier other than the password. Among other things, this prevents malicious people from accessing your personal space, even if they have accidentally been in possession of your password.

On ISPConfig, the two-factor authentication method available is OTP (One-Time Password) by email. The OTP code is a small additional password, generated after confirmation of your main password, sent to your email inbox. Authentication to your ISPConfig interface will then require both the access password and access to your email inbox to retrieve the OTP code.

Configuring two-factor authentication using email OTP on ISPConfig

To activate two-factor authentication using an OTP code sent by email, you first need to configure ISPConfig to send system emails. System email is ISPConfig's internal mechanism for sending emails.

From your ISPConfig interface, click on System > Main config (in the Interface section) > E-mail tab :

You will then need to configure the system email sending as follows:

• Administrator email: this will be the sender email box used by ISPConfig. This will also be the recipient mailbox for administrator accounts. To guarantee correct email transmission, the best solution is to use an email box already present on the VPS server. You cannot use a Gmail / Yahoo / ... mailbox in this field because the IP address of your VPS server is not authorised by the SPF of these email providers.
• Name of administrators: this will be the name indicated in the FROM header of the email. You can put whatever you want.
• Use SMTP to send system mails : tick so that ISPConfig entrusts the sending of the email to an SMTP server (if necessary, this will be transmitted via the PHP mail() function).
• SMTP host: the SMTP server which will send the emails. Set this to "localhost" so that ISPConfig uses the SMTP service on your VPS to send the emails.
• SMTP port: the SMTP port of the server responsible for sending the emails. Set this to "25" so that it connects to SMTP port 25 on your VPS.
• Leave SMTP user and SMTP password blank. The SMTP service on your VPS will not require authentication from port 25 when connected locally.

Once you have made the changes, click "Save" to save them.

Enabling two-factor authentication on an ISPConfig user

To enable two-factor authentication on a user, log in to the relevant user account and go to Tools then User Settings, and select"email" in the"Two Factor Authentication" field:

Note:

• If the user is an administrator account, the authentication email will be sent to the administrator email configured in System > Main config > Emails.
• If the user is a customer account, the authentication email will be sent to the customer account email configured in Customer > Edit customer.

How to disable two-factor authentication

If you no longer have access to your ISPConfig account but wish to disable two-factor authentication for this account, go to your phpMyAdmin interface from the URL https://vpsXXXXX.serveur-vps.net:8080/phpmyadmin/ and connect as the "root" user (the MySQL root password is available in the delivery email for your VPS server).

From the dbispconfig database, click on SQL and execute the following SQL query:

UPDATE sys_user SET otp_type = 'none' WHERE username = 'admin';

(replace admin with another username if you wish to disable for another user)

Then click Run. That's it, two-factor authentication is deactivated for this user.