Quick filter: Done! • Soon – Beta testing • Started doing something • All of them
45 results found
Implementing TOTP for 2FA
First of all, note that "Security" is not an option in the Category dropdown for composing messages on this forum.
Now to the topic of 2FA. Cursory browsing in security forums will reveal that both SMS and Passkeys are quite problematic. SMS is subject to SIM hacking, and Passkeys... well just do a Google search for "the problem with passkeys" for some interesting reading.
Currently the most secure and portable 2FA method is TOTP, so it's rather surprising that WA isn't implementing it. I hope WA implements TOTP in the very near future.
2 votes -
Extend 2FA to all logins to website, not just administrators
HELP!!! Wild Apricot has the ability to move to 2FA for all people accessing a website on a WA platform. Please, please make this security issue a high priority. It helps protect personal information for the individual, entity, club. WA has the ability to implement this as all admins have to use the 2FA. Please??
3 votes -
Using passkeys for authentication
When will passkeys be an option for users to authenticate into the website without the need for a password? See the FIDO Alliance [https://fidoalliance.org/] and/or https://www.passkeys.com/
Safer than passwords, No 2FA or Captcha needed. Easy to use.
6 votes -
Make anti-spam captcha OPTIONAL for log in.
Our site fortunately doesn't have issues with bots, so why does the captcha have to appear for all users to log in? Why wasn't this made optional, so admins can enable/disable it as it suits their organization's needs? Do you know our members or public visitors better than we do?
I understand the need for an anti-spam captcha function, but "one size fit all" DOES NOT WORK for everyone. Our members are complaining about this, and frankly for members who regularly log into the site, it insults their intelligence. What kind of user experience is that???
14 votes -
Multifactor authorization
I do not like the two factor authentication currently required of me on signin. I am an administrator. The double (or you could say triple) is upon signing in - first: name and password, second: click the "I am not a robot" box, third: identify crosswalks or bicycles or whatever. Are all of our members seeing this? It is over and above what is needed!
13 votes -
Multi-factor Authentication
To obtain cyber-risk insurance, it is necessary for us to have the multi-factor authentication in place. I have been informed that Wild Apricot does not have multi-factor authentication in place. In today's world, this is really important. Please consider having multi-factor authentication in place for the admins at least.
26 votes -
Allow administrators to login as a member
For many of our members, an administrator is often required to perform tasks for members. This includes buying items from the Online Store, or signing them up for events, or renewing their memberships.
The simplest solution would be to allow administrators to become a proxy for a member, and login as the member to perform these tasks. For those members who never log in (it happens because our members are retired folks with less computer savvy, and sometimes without computers), we can give these members a password that only the administrators know, but we're loath to do that.
For other…
26 votes -
Allow Custom Domains to Force HTTPS:// Sitewide
When using your own custom domain and an SSL Certificate (Let's Encrypt or 3rd Party), you should be able to update the Traffic encryption settings to "Always use https://" on that custom domain name. It defeats the purpose of even securing the site if a visitor has to manually type in "https://", when we're trying to gain the trust of a potential new member's information being safe when the browser they're using is telling them the site is "Not Secure". For this to be a paid hosting service and only allowing to use a "wildapricot" subdomain if you want https://…
5 votes -
security status of wild apricot
I am thinking about having this platform independently tested for security before finalizing our transition to WC from our existing platform. Has anyone else done this previously, or can anyone point to some certifications that will give me the sense of security that my members demand?
3 votes -
New anti-spam features
We are getting hammered by Russian spam bots. They are creating new contacts, several a day. We have the re-captcha activated but this isn't enough and the issue is urgent. The spam bots are also pledging huge donations, so if you can make them pay up, then no need to block them in the future!
4 votes -
Privacy Policy confirmation needs to be enforceable
In terms of accessing members-only information, I believe the Confirmation of having read the Privacy Policy, if one is enabled, should be enforced. My understanding is the member can leave this field at No, but it doesn't restrict any access to information. If that is the case, the field provides no tangible functionality, I think as long as the field is set to No, the member needs to be prompted to confirm that they have read the policy upon login attempt. If they are unwilling to confirm, they shouldn't be granted access, This is especially important for access to contact…
2 votes -
Hide contact list information from admins who just have event creation capability.
We need to be able to hide the contact information on the contact list from system admin who have just got event creation rights. Member information is hidden but not contact information and those with event creation access have the ability to extract a full contact list. This puts us potentially in breach of the Australian Privacy act as we need to ensure that contact information is restricted.
Having the ability to extract a list of email addresses etc creates a significant exposure for our members and creates a liability that at the moment we can only manage by not…
4 votes -
On login screen add icon to allow viewing of password. An eye icon is the norm.
With the number of passwords being used having the option to view the password typed allows for corrections of miss-typed entries. Use of an eye icon to see the type password is becoming common.
12 votes -
BankVault's MasterKey
ASCI would like to add BankVault's MasterKey to our login form.
It need a small code added to your system; is this possible?
1 vote -
restrict level viewing
Is there any way to restrict access to certain membership levels? All of our staff have administrative full access, but we have some confidential information we'd like in our database that not all staff can see.
4 votes -
3 votes
eu hosting
It would be awesome to have an EU or UK (or even Canadian) AWS location for hosting to reduce GDPR overhead.
1 vote -
Remove insecure TLS1.0 and TLS1.1 protocols so that websites rating is not downgraded
TLS1.0 and TLS1.1 are vulnerable. Most browsers don't want them any longer and websites using these protocols will be downgraded beginning Nov 2019. The recommended minimum protocol as from March 2020 for good website rating is TLS1.2 When will WA disable use of the vulnerable protocols and implement only TLS1.2 and higher. The current rating of my website is an A but this will be downgraded to a B soon and by March 2020 even lower unless insecure protocols are removed. Since this is out of my hands I am hoping the removal of the less secure 1.0 and 1.1…
6 votes -
Password 'have i been pwned' breech check
Add a feature to check passwords breached from Have I been Pwned before user can submit new password. https://techcrunch.com/2018/02/23/1password-bolts-on-a-pwned-password-check/ https://haveibeenpwned.com/
2 votes -
Make the captcha optional for the store checkout process
The "I'm not a robot" Option is embarrassing. I was unable to "choose the images" with cars or "choose the images with signs" since the photos were hard to figure out. I do not want this as part of my website. I received four unfulfilled orders in a row and I believe people escape when they get to this point. I'm quitting the service over this. Its embarrassing. Seeking another service over this minor yet big detail.
5 votes
- Don't see your idea?