Setting up Multi-Factor Authentication in Plesk

In today's digital landscape, relying solely on passwords, even strong ones, can leave your accounts vulnerable. While robust passwords offer a significant level of security, they are not entirely impervious to sophisticated threats like brute-force attacks. To significantly bolster the security of your Plesk account, it is highly recommended to implement Multi-Factor Authentication (MFA).

MFA introduces an essential second layer of security to your Plesk authentication process. Beyond your password (the first layer), MFA requires an additional verification step. Currently, this second security layer typically involves one-time passwords, often referred to as verification codes, which are dynamically generated by a dedicated MFA application on your smartphone. Throughout this guide, we will use the term "verification codes" to refer to these one-time passwords.

Setting Up Multi-Factor Authentication for Your Plesk Account

Follow these steps to enable and configure Multi-Factor Authentication for your individual Plesk account, ensuring enhanced login security:

1. Begin by installing an MFA application on your smartphone. Popular choices include Google Authenticator, Microsoft Authenticator, or any other compatible MFA app you prefer.
2. Navigate to your My Profile section within Plesk. Scroll down until you locate the "Multi-Factor Authentication (MFA)" section, then click on the provided link to proceed with the setup.
3. On the MFA configuration page, select the "Enable Multi-factor Authentication" checkbox to activate the feature.
4. A unique QR code will be displayed on your screen. Using the MFA app on your smartphone, scan this QR code. Upon successful scanning, your authentication app will display the hostname of your Plesk server. Typically, apps like Google Authenticator will show a 6-digit verification code directly below the hostname. Other MFA applications might require you to tap the hostname to reveal the code.
5. Enter the verification code generated by your MFA app into the designated field in Plesk.
6. For added convenience, if you wish to avoid entering a verification code every time you log in from a trusted device, check the "Enable the 'Remember Device' feature" checkbox.

7. Important Warning: Only enable the "Remember Device" feature on a personal device that you completely trust and control. Enabling this feature on a public or shared device could potentially allow unauthorized third parties to gain access to your Plesk account without a verification code.

   If you choose to enable the "Remember Device" feature, your browser will remember your device for a specified number of days. During this period, you will not be prompted for a verification code when logging in from that particular device. However, once this period expires or if your browser's cache is cleared, you will be required to enter a verification code again for security purposes.

8. When logging into Plesk from a new or unrecognized device after enabling the "Remember Device" feature, you will still be prompted to enter a verification code. You will also notice a checkbox labeled "Remember this device for n days" (where 'n' represents the number of days you previously specified).
9. 

   To ensure this "Remember this device" checkbox is automatically selected by default each time you log in from a new device, check the "Preselect the 'Remember Device' checkbox" option.

10. 
11. Finally, click OK to save your settings and complete the MFA setup.

Congratulations! You have successfully configured Multi-Factor Authentication for your Plesk account. From now on, you will be prompted to enter a verification code from your MFA app during the login process, significantly increasing your account's security.

Enforcing Multi-Factor Authentication Across All Plesk Accounts

Plesk facilitates MFA through its dedicated Multi-Factor Authentication (MFA) extension. This extension is typically installed by default as part of the recommended Plesk preset, allowing any Plesk account owner to independently configure MFA for their own account.

However, for environments requiring a higher level of security, administrators may choose to enforce MFA usage across all Plesk accounts. This enforcement can be configured with or without an option for users to bypass the MFA setup during login. When MFA is strictly enforced without a bypass option, users will be unable to log into Plesk until they have successfully configured MFA for their account.

Important Note: Please be aware that enforcing MFA applies universally. There is currently no granular control to enforce MFA for specific accounts or account types while excluding others. The configuration steps outlined below will mandate MFA for all Plesk accounts, including your own administrator account.

Steps to Enforce MFA Usage:

1. First, ensure that you have set up logging into Plesk with verification codes for your administrator account by following the procedure detailed in the "Setting Up Multi-Factor Authentication for Your Plesk Account" section above.
2. Locate and open the panel.ini file for editing. This crucial configuration file is typically found at:
   • (For Plesk on Linux) /usr/local/psa/admin/conf/panel.ini
   • (For Plesk on Windows) %plesk_dir%admin\conf\panel.ini
   Alternatively, you can conveniently edit this file directly within the Plesk interface using the Panel.ini Editor extension.
3. Based on your desired enforcement scenario, add the following lines to the panel.ini file, and then save your changes:

   • To Enforce MFA Without a Bypass Option:

     This configuration requires all users to set up MFA before they can access Plesk. Access will be denied until MFA is configured.

     [ext-mfa]
     enforce = true
     allowSkipEnforce = false

     When a user attempts to log in to a Plesk account that has not yet had MFA set up, they will encounter the following message. They will not be permitted to proceed with using Plesk until MFA has been fully configured for their account.

     

   • To Enforce MFA With a Bypass Option:

     This configuration encourages MFA setup but allows users to temporarily bypass it, though they will be prompted on each login until MFA is configured.

     [ext-mfa]
     enforce = true
     allowSkipEnforce = true

     If a user attempts to log in with a Plesk account that lacks MFA setup, they will see the message below. In this scenario, unlike the strict enforcement, they retain the option to skip the MFA setup and proceed to use Plesk. However, they will continue to see this reminder message with every subsequent Plesk login until MFA is properly configured for their account.

     

4. (Optional) After enforcing MFA usage, users will be presented with one of the two messages depicted in the screenshots above, which includes a link to a relevant Knowledge Base article. This article provides further details on how MFA functions and its benefits for enhancing security.

   Should you wish to direct users to an alternative source of information regarding MFA, you can customize the "Learn More" URL. To do this, add the following line pattern to your panel.ini file, replacing the example URL with your desired link, and then save the file:

   [ext-mfa]
   learnMoreUrl = https://example.com ; Replace with the URL of your preferred web page for MFA information