Support

Admin Tools

#40813 Admin Protection Username and PW applied---but does not work

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n4.4.3
PHP version
8.3
Admin Tools version
7.5.4

Latest post by nicholas on Tuesday, 11 June 2024 01:17 CDT

Monday, 10 June 2024 17:33 CDT

Telemachus

Please look at the bottom of this page (under Support Policy Summary) for our support policy summary, containing important information regarding our working hours and our support policy. Thank you!

 

Hello Team Akeeba!

 

An issue and a question;

 

1. Issue. I have completed the username and PW for Administrator password protect. Admin Tools says it is applied, but after signing out, clearing cache and signing back in to administrator, I go right to the administrator with no sign-in required by Admin Tools. It's probably just me, but I don't know how to fix it.

 

2. Question:  I am trying to secure my cPanel with a 2 FA.  All of the methods seem to require a phone, which is a significant single-point failure.  What I want for my cPanel security is exactly what you have on the Akeeba sign in.  An OTP.  But I want the OTP on an email and not restricted to a cell phone so that I can access it from any device signing into my email.  Do you know of an app that will OTP protect my cPanel via email confirmation?

 

Many thanks in advance for your thoughts.

 

Best,

 

Ed

Tuesday, 11 June 2024 01:17 CDT

nicholas

1. I just visited the /administrator URL of your site (that's why we ask you the URL to your site when submitting the ticket 😉) and it asks me for a username and password, i.e. it works fine.

What you have to keep in mind is that this feature, as documented, simply enables HTTP authentication for the administrator folder. The HTTP authentication credentials are cached forever by your browser, automatically, without confirmation. That's what all browsers do. You can go to your browser's password manager, find the stored credentials for your site, and delete them. Only then you will get the login dialog again, once before the credentials are cached again.

2. Let me turn the question on its head. "Is there a way to use authenticator codes which synchronise across devices?". Yes, there are several. Password managers like KeePassXC (free, open source), 1Password (subscription-based), or even Apple's Keychain (soon to be called Passwords) can synchronise this information across all devices. KeePassXC encrypted data can be stored on Dropbox, OneDrive, Google Drive, and other similar storage providers which means that you can get access to it even if you lose your phone. 1Password can be accessed over the web, without even using an application, making ideal for emergencies. There are plenty more solutions like this such as Bitwarden, LastPass, and so on and so forth.

These solutions are far more secure than receiving a code by email. Yes, we do have code by email as an option on our site, but do remember that we have clients who can just about use Joomla or WordPress enough to maintain a simple site and they're here to get a backup solution to keep it all safe. Some of these folks find using an authenticator app complicated, or don't even have a smartphone (not to mention there are people who deliberately don't have a smartphone).

Finally, I have to note that I have not seen any cPanel feature which would allow you to use any other 2FA method. You'd prefer code by email, I would prefer passkeys as they are far more secure in every way imaginable. Unfortunately, it's up to cPanel to support any of that. When it came to Joomla, I wrote my own code, maintained it for six years, then contributed for free to Joomla when they were in need of a solution like that. I'm afraid doing the same for cPanel is not even remotely possible.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!