I have a couple of cpanel management apps on my phone. One of them, I suppose, was the official CPanel app. Using it would honor TFA on login.
When using apps available today, logging into CPanel will bypass TFA. If anyone has the l/p then they can login and make changes. TFA is enforced with browser login.
It sounds like the user level API is able to bypass 2FA. Typically in a secure system this is still true but of generated API keys rather than the base account password. I’ll run some tests and see if I can bring some meaningful feedback back to the cPanel team.
Thanks. If you need any information from me please let me know. I was using control panel pro dayana networks. Same with free edition.
Given the issues this can create, I wonder if there is a way to change the username in control panel to make it more complex?