• E Premte, Dhjetor 12, 2025

In today's digital landscape, the security of online accounts is paramount. While strong passwords are a fundamental defense, they are not impervious to sophisticated threats like brute-force attacks. To provide an additional layer of protection, multi-factor authentication (MFA) is highly recommended. MFA introduces a second verification step to your login process, significantly enhancing account security beyond just a password.

Currently, this crucial second layer is typically implemented through one-time passwords, often referred to as verification codes, generated by a dedicated MFA application on your smartphone. These codes serve as a dynamic security token, changing frequently to prevent unauthorized access even if your primary password is compromised.

Enabling Multi-Factor Authentication

To configure your account to use verification codes for login:

  1. Begin by installing a reliable MFA application on your smartphone. Popular choices include various authenticator apps available on app stores.
  2. Navigate to your profile settings, locate the "Multi-Factor Authentication (MFA)" section, and then click the provided link to proceed with the setup.
  3. Select the checkbox labeled “Enable Multi-factor Authentication.”
  4. Using your smartphone\'s MFA application, scan the QR code displayed on your screen. Your authentication app should then display the hostname of your server. Below this, a verification code (usually a 6-digit number) will appear. Some applications may require you to tap the hostname to reveal the code.
  5. Enter the verification code from your MFA app into the designated field.
  6. If you prefer not to enter a verification code every time you log in from a trusted device, you can select the “Enable the “Remember Device” feature” checkbox.

Important Security Note: Only enable the “Remember Device” feature on personal devices that you control and trust implicitly. Enabling this on a public or shared device could potentially grant unauthorized individuals access to your account.

When the “Remember Device” feature is active, you will not be prompted for a verification code on that specific device for a set number of days. This period resets if you clear your browser cache or once the specified duration expires, after which you will need to re-enter a verification code. If you utilize the “Remember Device” feature and log in from a new device, you will be prompted for a verification code. A checkbox labeled “Remember this device for n days” will also be visible, where \'n\' corresponds to the duration you previously configured. To have this option pre-selected by default for all new devices, check the “Preselect the “Remember Device” checkbox.” Click “OK” to finalize the setup.

Upon completing these steps, Multi-Factor Authentication will be successfully configured for your account. From now on, you will be prompted to enter a verification code from your MFA application each time you log in, ensuring an elevated level of security.

Implementing Account-Wide MFA Enforcement

The system utilizes a dedicated extension for Multi-Factor Authentication, which is typically installed by default. This allows any account owner to enable MFA for their individual account. However, for enhanced organizational security, administrators may choose to mandate MFA usage for all accounts, either with or without the option for users to bypass the setup initially. In scenarios where bypass is disallowed, users will be unable to access their accounts until MFA is properly configured.

Administrator Note: When enforcing MFA, the setting applies universally to all accounts, including your administrator account. There is currently no option to selectively enforce MFA for specific accounts or account types.

To enforce MFA usage across all accounts:

  1. First, ensure you have successfully set up MFA for your own administrator account by following the procedure outlined in the previous section.
  2. Locate and open the configuration file for editing. This file is typically found at /usr/local/psa/admin/conf/panel.ini on Linux systems and %plesk_dir%admin\conf\panel.ini on Windows systems. Alternatively, you may use a configuration editor interface if available.
  3. Add the following lines to the configuration file, based on your desired enforcement scenario, and then save the changes:
  • To enforce MFA without the possibility of bypass: 
    [ext-mfa]
enforce = true
allowSkipEnforce = false

    When a user attempts to log in to an account without MFA configured, they will receive a message indicating that MFA setup is required. Access to the platform will be blocked until MFA is successfully enabled.

  • To enforce MFA with the possibility of temporary bypass: 
    [ext-mfa]
enforce = true
allowSkipEnforce = true

    In this scenario, users logging into an account without MFA will still see a prompt to set it up. However, unlike the previous case, they will have the option to skip the MFA setup and continue to access their account. This prompt will reappear with each subsequent login until MFA is configured.

(Optional) By default, users presented with an MFA enforcement message will find a link to an article explaining the benefits and functionality of MFA. If you wish to provide an alternative source of information, you can specify a different URL. To do so, add a line similar to the following to your configuration file, replacing https://example.com with your preferred URL, and then save the file: 
[ext-mfa]
learnMoreUrl = https://example.com ; Replace with your desired web page URL
Kthehu