This new feature will allow any DirectAdmin account to require the Two-Step Authentication using a time-based code from a smart-phone app (eg: Google Authenticator, FreeOTP, Authy, etc...) Access this feature from: Password Icon -> Two-Step Authentication Once you have a "Secret" created, scan the barcode into your Authenticator App in your smart phone. Enable the feature, and future logins will require the temporary code generated from the App, entered on a 2nd page after a successful user/password login. You can also optionally create one-time use "Scratch Codes", which can be printed and kept somewhere safe. These scratch codes are as a backup, in case your phone is not available to generate the code. A scratch code is only valid for one use, then is removed from the list of codes. The scratch code can be entered into the same "Code" field when logging into DA. Information on the importance of Two-Factor Authenticaiton can be found here: http://comparitech.net/2fa ------------------ Similar to the "Security Questions" feature, which can also be enabled at the same time for 3 layers of protection: http://www.directadmin.com/features.php?id=1439 directadmin.conf settings: twostep_auth=0|1 default 1 block_ip_after_failed_twostep_auth=0|1|2 default 0 max_twostep_auth_attempts=5 twostep_auth_discrepancy=1 twostep_auth_trust_days=30 functionality for these 3 variables is identical to id=1439. The twostep_auth_discrepancy value should be a positive integer representing the number of 30 second time slices you can be off by (before or after). So the default of 1 allows a code to be valid before 30 seconds before, and 30 second after the phone's timer is done counting down. DA's "Test Code" button may show you a message about the code being valid, but for a different time. If, for example, you see the time discrepancy as "-4", that means your code expired 2 minutes ago. If you can't fix your server's time, then change this setting to be "4" (positive 4), and DA will allow a wider range of -4 to +4 for logins. Also useful if someone's phone time isn't accurate. The twostep_auth_trust_days=30 value represents the duration that a trusted cookie is allowed to live in the client's browser. A trusted device can be un-trusted on the CMD_TWOSTEP_AUTH page. This may make your phone sad, as the server would no longer be it's friend. DA User files: /usr/local/directadmin/data/users/username/twostep_auth_secret.txt /usr/local/directadmin/data/users/username/twostep_auth_scratch_codes.list DA User settings: user.conf: twostep_auth=yes twostep_auth_description=user@host.domain.com notify_on_all_twostep_auth_failures=no ================================ LANG: new: lang/en/internal/twostep_auth.txt ---------- update: lang/en/internal/command.txt ================================ SKINS: ---------- files_user.conf, add: CMD_TWOSTEP_AUTH=user/twostep_auth.html CMD_ASK_TWOSTEP_AUTH=user/ask_security_question.html (this html file is re-used from Security Questions) IMG_CHECKBOX=images/checkbox.png IMG_INCORRECT=images/incorrect.png ---------- new files: user/twostep_auth.html images/checkbox.png images/incorrect.png ---------- passwd.html add: |*if HAVE_TWOSTEP_AUTH="yes"| <br> <a href="CMD_TWOSTEP_AUTH">Two-Step Authentication</a> |*endif| ----------- style.css add: .good_twostep_auth_code, .bad_twostep_auth_code { display: inline-block; text-align: center; background-repeat: no-repeat; background-position: bottom; min-width: 50px; padding-bottom: 50px; } .good_twostep_auth_code { background-image: url(IMG_CHECKBOX); } .bad_twostep_auth_code { background-image: url(IMG_INCORRECT); }