What's new
By:
Panelica Community Forum

Welcome to the official Panelica Community Forum — the central hub for server administrators, developers, and hosting professionals. Register a free account today to access technical discussions, product announcements, feature requests, and direct support from the Panelica team. Be part of the growing community shaping the future of server management.

Two-Factor Authentication & Login Security --- Complete Guide

admin

admin

Administrator
Staff member
Two-Factor Authentication & Login Security --- Complete Guide​

This guide covers all authentication and login security features in Panelica --- setting up 2FA, managing sessions, password security, API keys, and High Security Mode.

Two-Factor Authentication (2FA)​

Panelica supports Time-based One-Time Password (TOTP) two-factor authentication, compatible with Google Authenticator, Authy, Microsoft Authenticator, and any TOTP app.

Why Enable 2FA?
Even if your password is compromised, an attacker cannot log in without the 6-digit code from your authenticator app. 2FA is strongly recommended for all users, especially ROOT accounts.

---

Setting Up 2FA​

Step 1: Go to your Profile (click your avatar in the top right) > Settings.

Step 2: In the Security tab, find the Two-Factor Authentication section and click Enable 2FA.

Step 3: A modal opens with a QR code. Scan it with your authenticator app:
  • The QR code is generated locally by the server (no Google dependency)
  • A manual entry code is shown below the QR code if you can't scan
  • The QR code is 256x256 pixels with a white background for easy scanning

Step 4: Enter the 6-digit code from your authenticator app in the verification field.

Step 5: Click Enable. If the code is correct, 2FA is activated.

Step 6: Save your backup codes! A modal appears with 10 one-time backup codes:
  • Each code can only be used once
  • Store them in a secure location (password manager, printed paper in a safe)
  • Click Copy All Codes to copy them to clipboard
  • If you lose your authenticator and backup codes, you'll be locked out

---

Logging In with 2FA​

When 2FA is enabled, the login flow becomes:

  1. Enter your username and password on the login page
  2. If credentials are valid, a 2FA verification page appears
  3. Enter the 6-digit code from your authenticator app
  4. Alternatively, click Use Backup Code to enter one of your backup codes
  5. If the code is valid, you're logged in

Important notes:
  • Codes refresh every 30 seconds
  • There's a small time window tolerance (the previous and next codes are also accepted)
  • After too many failed attempts, you'll be temporarily locked out
  • Backup codes are one-time use --- once used, that code is consumed

---

Disabling 2FA​

Step 1: Go to Profile > Settings > Security tab.

Step 2: Click Disable 2FA.

Step 3: Enter your current 2FA code to confirm.

Step 4: 2FA is removed from your account.

---

Password Management​

Changing Your Password:

  1. Go to Profile > Settings > Security tab
  2. Click Change Password
  3. Enter your current password
  4. Enter and confirm your new password
  5. A password strength indicator shows weak/medium/strong
  6. Click Update

Password Requirements:
  • Minimum length enforced by your plan's security policy
  • Strength meter evaluates complexity
  • Common passwords are rejected
  • Passwords are hashed with bcrypt (never stored in plain text)

---

Session Management​

Go to Profile > Settings > Sessions tab.

This tab shows all your active sessions across devices:

Each session shows:
  • Device --- Browser name and operating system
  • Location --- City/country based on IP (GeoIP)
  • IP Address --- The connecting IP
  • Last Active --- When the session was last used
  • Current --- A green badge on your current session

Revoking a Session:
  1. Click Revoke on any session (except your current one)
  2. A confirmation modal shows the device, location, and IP
  3. Click Confirm Revoke
  4. That session is immediately terminated --- the user on that device is logged out

Security Tip: Review your sessions regularly. If you see an unfamiliar device, location, or IP, revoke it immediately and change your password.

---

API Keys​

Go to Profile > Settings > API Keys tab.

API keys allow programmatic access to Panelica's API without using your password.

Creating an API Key:
  1. Click Create API Key
  2. Enter a name for the key (e.g., "Monitoring Script")
  3. Select permissions:
    • domains:read --- Read domain information
    • domains:write --- Modify domains
    • users:read --- Read user information
    • users:write --- Modify users
  4. Set expiry: Never, 30 days, 60 days, or 90 days
  5. Click Create
  6. Copy the generated key immediately --- it won't be shown again

Managing API Keys:
  • View all your active API keys
  • See last used date and expiry
  • Delete keys that are no longer needed

---

High Security Mode (ROOT Only)​

High Security Mode adds an extra layer of protection for ROOT users. When enabled, certain sensitive pages require 2FA verification within the current session.

How it works:
  • ROOT must have 2FA enabled first
  • When accessing a protected page, a 2FA prompt appears
  • After verification, the session is marked as "high security verified"
  • Protected pages include: User management, Panel settings, System configuration

Protected Page Actions:
  • Pages can be set to "read-only" without 2FA (view but can't modify)
  • Or "blocked" without 2FA (can't even view)
  • Configuration is per-page and per-role

---

Login Security Features​

JWT Authentication:
  • Access tokens expire after 15 minutes
  • Refresh tokens last 7 days (stored as httpOnly cookies)
  • Tokens auto-refresh 5 minutes before expiry
  • Refresh tokens are rotated on each use (old token invalidated)

Rate Limiting:
  • Failed login attempts are rate-limited
  • After too many failures, the IP is temporarily blocked
  • Fail2ban integration automatically bans brute-force attackers

Session Security:
  • Sessions track: IP address, user agent, GeoIP location
  • Multiple simultaneous sessions are allowed
  • Sessions can be revoked individually
  • All sessions are revoked on password change

Impersonation (Admin Feature):
  • ROOT/ADMIN can "impersonate" a user to see the panel from their perspective
  • An orange banner shows "Impersonating: username" at the top
  • Click "End Impersonation" to return to your account
  • All actions during impersonation are logged in the audit trail

---

Troubleshooting​

Problem: 2FA code not accepted
  • Check that your device's clock is accurate (TOTP is time-based)
  • Make sure you're entering the code for the correct account
  • Try the next code that appears (codes change every 30 seconds)
  • Use a backup code if available

Problem: Locked out of account with 2FA
  • Use a backup code to log in
  • If you don't have backup codes, contact your server administrator
  • ROOT users: The server admin can disable 2FA via the CLI

Problem: QR code won't scan
  • Increase screen brightness
  • Try the manual entry code shown below the QR code
  • Make sure your authenticator app supports TOTP (most do)

Problem: Session showing unfamiliar location
  • GeoIP data may be inaccurate (VPN, mobile networks)
  • If genuinely suspicious: revoke the session, change password, enable 2FA
  • Check IP Blocking > Failed Attempts for related activity

---

Best Practices​

  1. Enable 2FA on all accounts --- Especially ROOT and ADMIN
  2. Save backup codes securely --- Print them or store in a password manager
  3. Use strong, unique passwords --- Don't reuse passwords from other services
  4. Review sessions weekly --- Revoke any you don't recognize
  5. Set API key expiry --- Don't create keys that never expire unless necessary
  6. Enable High Security Mode --- Extra protection for ROOT operations
  7. Keep your authenticator app backed up --- Export accounts or use cloud sync
 
You must log in or register to reply here.
Back
Top