Jump to content

System error logs


Robin Somes
 Share

Recommended Posts

  • 1 year later...

My apologies if I am resurrecting a dead thread, but a search for 2 factor authentication made this the most likely candidate.

While still a tiny site, I am still a little concerned about the login to the Admin Control Panel. Even using LastPassĀ if the password is guessed, or found through a Man in the Middle attack, there is no further protection to prevent unwanted access.

Is there any plans to incorporate 2FA in a future release, or is it thereĀ and I am missing it?

Thanks in advance.

Link to comment
Share on other sites

There could be a real 2FA installed (send a text to your phone, perhaps).

But as of now, a simpler method could be explored: triggering the "Lost Password" feature of the admin login.

So, 1) One would need to know the name of the administration login script -- it can be anything, not just 'admin.php' or something that starts with 'admin', such as 'myHardToGuessStoreBacksideScriptName.php'. And, 2) an email would be sent to the admin containing a temporary password -- the admin's username and email address will need to be in the database.

Link to comment
Share on other sites

  • 2 weeks later...

Sending a text to a phone is probably hard to implement because it will require a third party text messaging provider.Ā As an aside, it needs to be absolutely rock solid. I once worked for a company that had need to use cellphone texting to issue control commands. It should have only been one or two messages a day, but a bug crept in, and it starting texting every couple of seconds. Worse, iy started on a weekend, and no-one noticed it until the next week, and there was a $20K bill to pay.

Email is a workable option, although sometimes emails can be delayed, and make it hard to log in.

I think the best option, although I have no idea how to implement it, or it's cost, would be to use an authenticator app. I have steadily added authenticators to all web services that include offer it, with the biggest omission for me, being CubeCart.

There is both Google and Microsoft Authenticators, along with some third party authenticators, which have minimal log-in impact, but provides a extra layer of security, especially for applications that include financial information such as CubeCart.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...