Welcome to the forum:
Welcome to the iThemes, PluginBuddy and WebDesign.com forum. We've created several tutorial video's to help you get you started with using the forum, please check them out!
Also take note of the forum guidelines.
Our moderators actively respond to forum support requests during normal business hours which are Monday-Friday, 8am - 5pm Central Standard Time, typically within one business day. Although some moderators choose to work during the weekends, we can not guarantee immediate attention to your requests. Thanks for understanding.
What is included with support:
Premium support includes theme/plugin issues such as: bugs encountered under normal operation, how to use basic features, basic WordPress help, and basic help with customization (meaning we point you to resources and will help in more depth as time allows). More information.
Posted 06 May 2014 - 09:54 PM
a) One time password codes are vulnerable, especially on mobile or SMS. This is fie, bu to mitigate this, you should let the customer choose their target source for authentication (Symantec VIP, Google Authenticator, their own). given that I have zero idea about how o where your auth service is located, what policies are in place, it is meaningless to me. Is your auth server in a garage in Russia? I have no idea.You may want to just implement VIP and let people get a mobile app/device from them or take the Yubico route leveraging U2F.
Ideally i would like the option to use certificates and smart cards. You should let customers, for a fee, let them define the OCSP their cert/card can authenticate to,.
I think otherwise you are going to be pretty outdated fairly soon for a variety of reasons, despite some similar approaches in the market, will be driven to mature.
thanks for listening.