System error logs

[Al Brookbanks]

I use LastPass and literally don't know any of my passwords other than master. It's a pretty good feeling.

Obviously I keep my master password printed and sellotaped to my monitor. (Joke!!). Haha 

[Kevin D]

My apologies if I am resurrecting a dead thread, but a search for 2 factor authentication made this the most likely candidate.

While still a tiny site, I am still a little concerned about the login to the Admin Control Panel. Even using LastPass if the password is guessed, or found through a Man in the Middle attack, there is no further protection to prevent unwanted access.

Is there any plans to incorporate 2FA in a future release, or is it there and I am missing it?

Thanks in advance.

[bsmither]

There could be a real 2FA installed (send a text to your phone, perhaps).

But as of now, a simpler method could be explored: triggering the "Lost Password" feature of the admin login.

So, 1) One would need to know the name of the administration login script -- it can be anything, not just 'admin.php' or something that starts with 'admin', such as 'myHardToGuessStoreBacksideScriptName.php'. And, 2) an email would be sent to the admin containing a temporary password -- the admin's username and email address will need to be in the database.

[Kevin D]

Sending a text to a phone is probably hard to implement because it will require a third party text messaging provider. As an aside, it needs to be absolutely rock solid. I once worked for a company that had need to use cellphone texting to issue control commands. It should have only been one or two messages a day, but a bug crept in, and it starting texting every couple of seconds. Worse, iy started on a weekend, and no-one noticed it until the next week, and there was a $20K bill to pay.

Email is a workable option, although sometimes emails can be delayed, and make it hard to log in.

I think the best option, although I have no idea how to implement it, or it's cost, would be to use an authenticator app. I have steadily added authenticators to all web services that include offer it, with the biggest omission for me, being CubeCart.

There is both Google and Microsoft Authenticators, along with some third party authenticators, which have minimal log-in impact, but provides a extra layer of security, especially for applications that include financial information such as CubeCart.