One of the most reliable tools for protecting your Magento backend is two step authentication. We’ve already reviewed the Two-Factor Authentication extension by Xtento, and now it’s time to pay some extra attention to Two-Factor Authentication by Extendware. Below, you will find an overview of the module’s functionality and features as well as a small Magento extension tutorial related to the backend configuration.'
If you are not familiar with the two step authentication, it is developed to protect your Magento website from insecure connections, keyloggers, and various malefactors. Every time an admin logins into the backend, there is a possibility that someone is trying to steal his or her password. The stolen password can be used for getting access to your store and stealing precise data or damaging your business.
To prevent the aforementioned situation, you only need to install the Two-Factor Authentication extension. The Extendware’s solution uses Google authenticator, to add an extra login step. Thus, your admins have to use smartphones to enter a secret code that is valid for 30 seconds only. The code is used in addition to login and password.
That’s what customers think about the Extendware Two-Factor Authentication Magento module:
- Secure Login. The passcode changes every 30 seconds, so if even someone knows the password, the malefactor will never get the access to the website until he or she gets the smartphone with the passcode.
- Login Attempts Limit. Besides, the module provides the ability to set a limit on the number of login attempts. Thus, you prevent your backend from brute force attacks.
- Passcode Sniffing Protection. If a passcode if sniffed and entered within 30 seconds, the malefactor will not enter your backend, since each passcode can be used only once.
- Key Logging Protection. Another important aspect of the Extendware Two-Factor Authentication Magento extension is a total key logging protection. Even if you login from a computer that is logging keyboard input, there is no need to worry about stolen passwords, because there is the extra protection layer..
- Login Attempts Log. There is a history of all login attempts in the Magento backend, so you can easily check such data as IP address, time of each attempt, passcode used, etc.
- Whitelisting. It is also possible to eliminate the necessity to use the second authentication step for certain IPs.
- Flexibility. In case you need various levels of security for different accounts, you can easily implement it. The module lets you require a password only, a passcode only, or both.
To configure the extension for a particular user, go to System -> Permissions -> Users. Select a user account, and open the Two-Factor Settings tab. Here, you can choose an authentication mode (Password only, Verification code only, or Both) and a two-factor mode (Authentication Code, IP Address, or Both). In the Verification Code field, enter the current time-based passcode after enabling verification code authentication or changing a secret key, otherwise changes will not be saved. Next, there is a secret key that should be given to Google Authenticator. The last field here contains a QR code that should be scanned to add a new account.
As for the extension’s settings, they are available here: Extendware -> Manage Extensions -> Authenticator -> Configure. There are two sections here: General and Rate Limit. The first one allows you to enable/disable smart verification code input (the verification code box is not shown if the IP address does not require this), turn on or off the extension, specify tolerance level (the authenticator app and your server might be unsynced, so don’t set too low value, since it will lock you out of the admin), add IP addresses in Two Factor IP Rules to enable users of these IPs to login without entering a passcode. As for Required IP Rules, Logins must match IPs of these rules.
In Rate Limiting, you can enable the feature, set a limit on a number of login attempts, and specify the period while the aforementioned number of attempts is calculated.
All login attempts are gathered here:
The importance of two step authentication is hard to overestimate. If you don’t want to loose any secure data, this is a must have improvement, and you can get it with the Extendware Two-Factor Authentication Magento extension for just $79.'