I am posting this since @brainstorrrm (2019-09-11) had brought this to my attention followed by @simon.adams mentions too. Their point has strong value and I want to post this thread concerning that.
original post (2019-02-25) by @brainstorrrm : https://www.wix.com/corvid/forum/community-feature-request/two-factor-authentication-2fa
Basically, as a site Owner (us as a customer to Wix.com) we should have better security measures provided to ensure that our site(s) do not get tampered with, and can prevent malicious access. Understandably, these measures to be discussed are typical industry standards to prevent more common (first line of defense) type of access by bad actors – not fully preventable against more serious actors/threats.
**All references hereon to “Users” are for our Site’s Owners/Admins (aka us a Wix.com customer) and also any authorized contributors we add - and not referring to our site’s customers/members (aka our customers not Wix’s).
Of course for most businesses with many Users, SAML 2.0 is something to add-in lieu of the 2FA - then using 2FA as recovery for SAML. Personally I'd use (and prefer) SAML 2.0.
For a SAML 2.0 Feature Request, see my other post: https://www.wix.com/corvid/forum/community-feature-request/saml-2-0-for-site-admin-owner-log-ins
Currently 2FA is offered (only) by Wix to assist in account access/recovery: Mobile-Phone-Account-Link.
The two security measures [policies] desired are: 1) 2FA (Two Factor Authentication) Policy -AND- 2) Source IP Based Access Policy. Both policies should be optional (not required), to allow [us] site owners the flexibility for our Users.
1) 2FA: The ability to activate on a per User basis 2FA, and maybe (a Wix decision) require on the main login-in [one single main User]. This two-form of authentication (2FA) should be a Mobile SMS and Telephone call. A third option of an Authenticator could be added too, but that can be troublesome for some people. These phone numbers would be associated with each User on our site(s). Therefore, in order for such User to be able to gain access, in addition to their User-Name & Password credentials, they’d need to successfully complete this 2FA. The idea here is to prevent access when User’s credentials have been compromised.
2) Source IP Access: The ability to provide a list of IPs that are allowed to gain access to our site(s) as a User. This is a good policy to ensure only approved locations/IPs (usually means known people) can have access. Normally this policy would have a list of IPs (again optional) per account and/or per User – per User (at minimum) is better to avoid issues. Ideally part of a good practice is to have 1 User that is not restricted in case those site-owners that don’t have static IPs, and may lose theirs (from their ISP) or could be traveling. Alternately, having one-main (single) User to be able to provide more additional info to bypass the Source IP works too – this is usually some secret questions or another proof of identity.
Of course, both are preferred, while #1 is first level requirement followed by #2.
Next Steps: Get this in as a (high priority) feature request. Therefore, if other site owners/admins feel the same about this, they should make this a feature request via this forum and via Wix’s customer support. From my searching I could not find a currently available link to submit feature requests with Wix. Though from my experience Wix’s call-back tech support team is friendly and accommodating. My thought is that, in order to get a feature on Wix’s radar, either of those (previously mentioned) should be a great place to start. Once a feature is on their radar, they will allow us to vote on it.
No Platform is perfect, but it seems as though Wix is trying to do the right thing – sometimes slowly but surely.
P.S. This may be more of a Wix feature than a Corvid feature, since API exposure could create security issues for us (as site owner) on this one.