Announcement

**Rick Wilson** · 07-17-18, 09:45 AM

Also there are other TOTP apps for Smartphones and browsers other than just Googles. I think Authy has been discussed in this thread or another. Ultimately we support TOTP so the app provider is up to the user.

**Krsullivan** · 07-18-18, 03:31 PM

Hello.

1. FYI - Yubico makes two Keys for with USB-C ($10 more but much smaller)

2. My question or problem, I'm using a YubiKey, no problem on the authentication part, however, every time I reboot the computer, Miva also sends an email to me to enter a code. I thought this was only suppose to happen when I use a different computer. How does miva keep track? The server or a cookie on the workstation.? This does not happen with TOTP, only with the yobico.

Thanks

Kevin
AutomotiveWorkwear.com

**ILoveHostasaurus** · 07-18-18, 03:36 PM

Keep in mind they do not currently have a USB-C model that also does NFC (for mobile use on iOS products).

As far as the browser auth, that is based on a cookie called mm5-admin-<browserid> and should not have any relation to the type of two factor selected. It's a persistent cookie, or should be. Could there be something on your computer that is clearing certain cookies at reboot, such as anti-virus or other security software?

**Rick Wilson** · 07-18-18, 03:51 PM

That cookie is supposed to last for 1 year, FYI

**Krsullivan** · 07-18-18, 04:01 PM

Thanks for the info on the USB-C, I was about to order one for an iOS device we have, I will get the other ones.

Yep, I was wrong, its a browser issue after all dealing with cookies. Our security settings is removing all cookies when the browser is closed. I can fix that. Thanks for pointing us in the correct direction.

I also purchased a couple of the Yubico 4 nano models. Really cool, they are about 1/2" square and barely stick outside the USB opening on my keyboard. You would not know what it was or that its even there in the USB slot. It sticks out just enough to put you finger on the edge to make it work..... Very sleek, but definitely not the model if you are going to swap it from computer to computer.

Thanks for the help.

Kevin

**jsdva** · 07-19-18, 05:41 AM

Originally posted by ILoveHostasaurus View Post

.. 2FA is on always in 9.10.x so no longer needs to be manually enabled.

Well, how about that! Thought something was wrong. Relief! Thanks David

**jsdva** · 07-19-18, 05:45 AM

Originally posted by ILoveHostasaurus View Post

2FA is on always in 9.10.x so no longer needs to be manually enabled.

Don't think I caught that in the video.

**jsdva** · 07-19-18, 06:09 AM

Originally posted by Rick Wilson View Post

Also there are other TOTP apps for Smartphones and browsers other than just Googles. I think Authy has been discussed in this thread or another. Ultimately we support TOTP so the app provider is up to the user.

I downloaded Authy. So far, it looks like that will work great. Thanks.

**jsdva** · 07-19-18, 06:23 AM

Originally posted by ILoveHostasaurus View Post

With the exception of my annoying MacBook Pro, I haven't encountered a computer that has only USB-C ports, so chances are that client is safe to just buy the normal USB-A keys for everyone and if they happen to have an employee with a MacBook, chances are that person already has the C to A adapters; I carry a few with me at all times lol.

The first point to make though is that users can self-enable two factor if they can currently log in, and Yubi doesn't really give price breaks, so the purchase could always be placed as individual orders and shipped direct to the recipients. They're on Amazon too, and 25% off with Prime Day; $30 for Yubikey 4.

For doing TOTP instead of Yubikey, users can also self enable that, so they just need to have a TOTP code generator handy before starting the process. If they have a smart phone available, that would be preferable to browser stored, since people often have a tendency to store their credentials in their browser. The business owner should try to keep people from doing browser-based TOTP generation, since a virus could share both the TOTP key (which is used to generate the values) and the store credentials, if both are in the browser and accessible to the virus, and who knows how the browser-based generators store the key. There are also third party TOTP generators like Authy which are cross platform/device.

Good info David. Thank you for answering my questions so thoroughly! This helped!

Jamie

**kayakbabe** · 07-20-18, 01:04 PM

for my MacBook pro and iOS devices there is a Yubikey Neo which looks like it should work in pc's with USB-A ports and also allow near field bluetooth communications with IOS and MAC equipment. A May 2018 announcement shows it works with IOS now. Though I don't see 2FA. It has U2F. My question is: Will the Yubikey Neo work with Miva? I'd rather just have one key and I would like not to use Google Authenticator (which is what I"m using now as I've had troubles before when I switched phones.)

https://www.yubico.com/products/yubikey-for-mobile/

https://www.yubico.com/product/yubikey-neo/

**Rick Wilson** · 07-20-18, 01:27 PM

Yes that YubiKey Neo works with Miva.

**GDesigns** · 07-20-18, 04:04 PM

In case it helps - her are some instructions for store owners (and possibly developers) on what happens (or needs to happen) when giving a developer store admin access - let me know if I left something out :) http://bit.ly/2LpJQzL

**jpatrickm** · 07-31-18, 08:49 AM

I put this video together for my clients. I outline a technique to make this all much much easier! 1Password has two-factor authentication built in so you can do a completely automated login.

This video tutorial will walk you through the new Miva security features, including the new browser authentication and the two-factor authentication. As I mention in the video, you may already be familiar with how to use two-factor authentication, but I want to make sure it's clear how to set it up for everyone and I also discuss a tool to make it faster for you to use.

Link to watch the video:
https://patrickwebby.com/how-to-setup-miva-merchant-two-factor-authentication-and-tricks-to-make-it-easier/

Thanks,
Joe

**TheTeaTable** · 10-23-18, 12:29 PM

I've been delaying enabling two-factor authentication, but I know I need to go ahead and get it done. I don't do the smart phone thing, and even though Authy seems like a nice option, that means I can't scan the QR code, and the text string looks like a kind of absurd thing to have to enter. So, is the Yubikey a much better option for me? I'm not accessing the site with mobile devices, and I can just have the key handy on my keyring.

**Rick Wilson** · 10-23-18, 02:35 PM

Yeah I think a YubiKey is the best option in that case (and actually in general)

Announcement

Two-Factor Authentication

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment