Setting up Multi-Factor Authentication for Your Control Panel

Weak passwords are highly susceptible to compromise through methods such as brute-force attacks. While strong passwords offer a higher degree of security, they are not entirely foolproof against sophisticated threats.

To significantly bolster the security of your account on the control panel, it is highly recommended to implement multi-factor authentication (MFA) for logging in. Passwords serve as the foundational layer of security; MFA introduces a critical second layer to your authentication process. Currently, this additional security layer typically involves one-time passwords, often referred to as verification codes, which are dynamically generated by a dedicated MFA application on your smartphone. Throughout this guide, we will consistently refer to these as verification codes.

Setting Up Multi-Factor Authentication

To implement multi-factor authentication for your control panel login, follow these detailed steps:

1. Begin by installing a multi-factor authentication (MFA) application on your smartphone. Popular choices include Google Authenticator, Microsoft Authenticator, or any other compatible MFA app.
2. Navigate to your user profile settings, typically found under "My Profile". Locate the “Multi-Factor Authentication (MFA)” section and click on the associated link to proceed.
3. Check the box labeled “Enable Multi-factor Authentication”.
4. Using your smartphone's MFA app, scan the QR code that is displayed on your screen. You will then observe the hostname of your server appearing within your authentication application. For instance, Google Authenticator typically shows a 6-digit verification code directly beneath the hostname. With other MFA applications, you might need to tap the hostname to reveal the code.
5. Carefully enter the verification code provided by your MFA app into the designated field.
6. If you wish to avoid entering a verification code every time you log in from a trusted device, select the “Enable the “Remember Device” feature” checkbox.

   Important Security Note: This "Remember Device" feature should only be enabled on devices that are exclusively yours and are secured. Enabling it on a shared or public device could potentially allow unauthorized third parties to gain access to your control panel account.

7. When the “Remember Device” feature is active, you will not be prompted for a verification code upon logging in from that specific device for a preset number of days. After this period concludes, or if your browser's cache is cleared, you will be required to enter a verification code once more.
8. Furthermore, if the “Remember Device” feature is enabled, your browser will retain your device's authentication status for the specified duration. However, should you attempt to log in to the control panel from a different device, you will be prompted to enter a verification code. On such new devices, you will also notice a checkbox labeled “Remember this device for n days”, where 'n' represents the number of days you previously configured.

To ensure this “Remember Device” checkbox is pre-selected by default whenever you log in from a new device, select the “Preselect the “Remember Device” checkbox” option.

9. Finally, click OK to save your settings.

With these steps completed, multi-factor authentication is now successfully configured for your control panel. Moving forward, each login attempt will require you to provide a verification code from your MFA application, significantly enhancing your account's security.

Enforcing Multi-Factor Authentication Usage Across Accounts

The control panel facilitates MFA implementation through a dedicated Multi-Factor Authentication (MFA) extension, which is typically installed by default as part of the recommended software configuration. With this extension in place, any account owner within the control panel environment has the capability to configure MFA for their individual account.

For administrators seeking to further elevate security standards, there is an option to enforce MFA usage for all accounts across the control panel. This enforcement can be configured with or without the ability for users to bypass the MFA setup. In scenarios where bypassing is not permitted, users will be unable to log in to the control panel without first setting up MFA.

Important Consideration: It is crucial to understand that there is no granular control to enforce MFA selectively for certain accounts or account types while excluding others. The configuration described below will universally apply MFA enforcement to all accounts, including your primary administrator account.

Steps to Enforce MFA Usage:

1. Before enforcing MFA, ensure you have successfully set up logging in with verification codes for your administrator account by following the procedure outlined in the previous section.
2. Locate and open the panel.ini configuration file for editing. Its typical locations are:
   • For Linux-based systems: /usr/local/psa/admin/conf/panel.ini
   • For Windows-based systems: %plesk_dir%admin\conf\panel.ini

   Alternatively, this file can often be edited directly within the control panel interface using a configuration editor extension.

3. Based on your desired enforcement policy, add the following specific lines to the panel.ini file, then save the changes:
   • To enforce MFA without any bypass option:

     [ext-mfa]
     enforce = true
     allowSkipEnforce = false

     When this setting is active, any user attempting to log in to an account without MFA configured will be presented with a mandatory message. They will be prevented from accessing the control panel until they complete the MFA setup process.

     
   • To enforce MFA with the option to bypass setup:

     [ext-mfa]
     enforce = true
     allowSkipEnforce = true

     In this configuration, users attempting to log in to an account without MFA will still see a prompt. However, unlike the strict enforcement scenario, they will have the option to bypass the MFA setup and proceed to use the control panel. It is important to note that they will continue to see this reminder message with every subsequent login until MFA is properly configured for their account.

     
4. (Optional) Upon enforcing MFA, users will encounter one of the two messages shown in the screenshots above, which typically includes a link to a knowledge base article. This article usually provides further explanations on how MFA functions and its role in enhancing security.

   If you prefer to direct users to an alternative information source about MFA, you can customize this link. To do so, add a line similar to the following pattern to your panel.ini file, replacing the example URL with your desired web page address, and then save the file:

   [ext-mfa]
   learnMoreUrl = https://example.com ; Replace with your preferred URL