The iThemes pruct is really good. I am debating paying for pro, mainly for the 2 Factor feature. However, as a security professional myself (specialize in 2 Factor), I am surprised that this is only going to support one time password codes. I have a couple of issues with this, and anyone serious about security would.
a) One time password codes are vulnerable, especially on mobile or SMS. This is fie, bu to mitigate this, you should let the customer choose their target source for authentication (Symantec VIP, Google Authenticator, their own). given that I have zero idea about how o where your auth service is located, what policies are in place, it is meaningless to me. Is your auth server in a garage in Russia? I have no idea.You may want to just implement VIP and let people get a mobile app/device from them or take the Yubico route leveraging U2F.
Ideally i would like the option to use certificates and smart cards. You should let customers, for a fee, let them define the OCSP their cert/card can authenticate to,.
I think otherwise you are going to be pretty outdated fairly soon for a variety of reasons, despite some similar approaches in the market, will be driven to mature.
thanks for listening.
No replies to this topic