Skip to main content

Meeting - December 10 2024

· 3 min read

This call discusses PCI compliance needs, due in March 2025: 2FA

What Tangible's Role is: We're trending towards focus on new development while internal resources to Paragon handle "life support". As a company we normally have an approach where we create in-house tools that accelerates custom development projects for clients. Custom and day-to-day support.

Joe (CEO) and Cara (Director of Operations) will be part of the conversation going forward. Will be joining future meetings to facilitate clear reporting of situations, more visibility for them.

2-factor authentication

PCI-compliance is required for a specific client contract. To this end Paragon is looking to set up 2-factor authentication. Deadline for meeting compliance criteria is March 2025.

WP-2FA by Melapress, official WP contributors-supported WP Two-factor are our options for plugins.

Students at corporations like SMS verification, we need to balance enough 2-factor authentication to be useful and more secure without introducing hurdles to the user experience.

Free level of WP-2FA by Melapress doesn't support mobile auth code sending, but Mae is happy with its functionality so far and Paragon is comfortable paying for the premium plugin.

2FA should default to email, as we can't rely on users having a valid phone number in the system. It's difficult to collect information from users invited by corporations, and corps don't always provide accurate information. Students should be able to opt-in. Goal is to be PCI-compliant.

Issues with SMS approach:

  • International access - Twilio can be weird with international zones
  • Sending text messages is expensive compared to email, authenticator app
  • Not very secure, according to everyone

Mae will do more testing, but seems to be leaning towards Melapress.

Gabriel mentioned applying 2FA requirements to a subset of users. Cara asks whether 2FA could be limited to Sponsors, users with billing info in the system (customers). It's unclear whether PCI compliance can be legally met if 2FA is selectively applied.

Important question to answer (Mae will find answers)

Can 2FA only apply to customers and admins, or does it need to be everyone? Mae expresses that in the future she feels all users will need to have 2FA in the future.

Important question to answer

What if users are not allowed to be on their phone during training time?

What if users don't have access to Wifi on their phone (TOTP concern)?

Tangible will act as fallback for additional support to Mae as she implements functionality. Gabriel notes that support staff should be prepped to help users connect once 2FA is enforced. Mae will prepare documentation for Ops.

Cara expresses that she wants 2FA to impact as few users as possible, wants to avoid flood of support requests and annoying corporate clients. Joe asks if we can implement trusted device opt-in.

Credit card testing in checkout

Gabriel has recommended switching from Google ReCAPTCHA to Cloudflare Turnstile. Mae is hesitant, more discussion to follow.