Announcement

Collapse
No announcement yet.

Two-Factor Authentication

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Two-Factor Authentication

    Implementing Two-Factor Authentication, unfamiliar with all technical back-end aspects I have the following questions/concerns:
    1. From a security perspective does it matter which browser Two-Factor Authentication plugin I use? My concern is choosing a solution that is not as secure as another may be or worse a solution with criminal intentions.
    2. Once a solution is selected, can it be switch to another solution? If so, what are the additional security precautions I need to take if any (e.g.: changing passwords, uninstalling app, etc...).

    Thank you, Bill Davis

    #2
    The TOTP-based solution is the better option if you access a store while on the go, and perhaps even mandatory depending on mobile device. The two downsides to TOTP are 1) the numeric code is based on a unique key, and if someone else were to gain possession of that key, they could generate the same code, and 2) the code is not one time use, so if someone were monitoring your keystrokes on your computer, or had otherwise compromised your website, they could potentially get your password and the secret value that will work for roughly a minute. That likelihood is fairly low of course, but the possibility exists.

    The hardware token solution is more secure, because you not only have to have possession of the token, you have to plug it into the computer and touch it at the time of logging into the store, so someone with control of your computer can't even gain access to your store unless they wait for you to authenticate and then blank your screen while doing activities in your store. However, a hardware token can also be a bit more inconvenient, especially if you need to take it with you for on the go access, forget it, lose it, or need to log into your store at night but then have to go figure out where you set your key down when you got home, etc.
    David Hubbard
    CIO
    Miva
    [email protected]
    http://www.miva.com

    Comment


      #3
      Originally posted by ILoveHostasaurus View Post
      The TOTP-based solution is the better option if you access a store while on the go, and perhaps even mandatory depending on mobile device. The two downsides to TOTP are 1) the numeric code is based on a unique key, and if someone else were to gain possession of that key, they could generate the same code, and 2) the code is not one time use, so if someone were monitoring your keystrokes on your computer, or had otherwise compromised your website, they could potentially get your password and the secret value that will work for roughly a minute. That likelihood is fairly low of course, but the possibility exists.
      Now I'm a bit confused. I installed the Google Authenticator app on my phone. When I log into a site for the first time I scan the QR Code into the app. Then a number is generated. I can watch the app count down, then generate a new code. When I go back to log into a site, I look at the app, I have to be paying attention, no dilly dallying as it looks like the code is being changed every minute. Have I found a better way to do this?

      Leslie Kirk
      Miva Certified Developer
      Miva Merchant Specialist since 1997
      Previously of Webs Your Way
      (aka Leslie Nord leslienord)

      Email me: [email protected]
      www.lesliekirk.com

      Follow me: Twitter | Facebook | FourSquare | Pinterest | Flickr

      Comment


        #4
        Originally posted by lesliekirk View Post

        Now I'm a bit confused. I installed the Google Authenticator app on my phone. When I log into a site for the first time I scan the QR Code into the app. Then a number is generated. I can watch the app count down, then generate a new code. When I go back to log into a site, I look at the app, I have to be paying attention, no dilly dallying as it looks like the code is being changed every minute. Have I found a better way to do this?
        The way you're doing it is safe. The QR picture is just a visual representation of the key used to generate the TOTP code; the real key is just below the QR picture. Once you enroll, in Merchant 9.10, you can never again see that QR code or the key. Once it goes into Google Auth, you also can't later extract the key out of there. There are two potential attack vectors:

        1) If your computer has been compromised, or the website with the store on it (but not the store itself) has been compromised, someone could potentially eavesdrop on both your password and your TOTP code. The code is good for roughly 60 seconds max, so if they were monitoring in real time, they could potentially then get into the store as you if they acted quickly.

        2) If you choose to take that QR code or the key just below it and keep that somewhere where it can come back out, then it is similar to a password that has been kept somewhere in that someone could potentially get a copy of it somehow. For example, if you use a password manager that is capable of storing both passwords and TOTP keys to generate the codes (Keepass and Bitwarden are examples), and your computer got compromised while you had the password manager unlocked, the attacker could potentially steal the password and TOTP key so they could begin generating the codes to log in without your knowledge. If you never keep the TOTP key, never use it with an application that allows it to come back out, or never store it in the same place as the password, then you wouldn't be vulnerable to this attack.
        David Hubbard
        CIO
        Miva
        [email protected]
        http://www.miva.com

        Comment


          #5
          Thanks David, very interesting.

          If one were to pursue the browser plugin route, should one have a preference which browser Two-Factor Authentication plugin solution uses, or it does not matter?

          For example: Google Authenticator vs Authy, Xyz, etc...?

          My concern would be the developer of the 2FA solution. For example like shady mobile phone applications developers, yes OS are supposed to limit certain exposures but every now and then you hear on the news an app was removed from the app store due to some type of security issue.

          Thank you, Bill Davis

          Comment


            #6
            Authy is nice because it can sync across your devices, is the TOTP only, and doesn't support extracting the TOTP key, so if someone compromised your Authy in one way or another, they don't also get your password and if you change your Authy credentials, they're now blocked from generating TOTP codes for your site since they weren't able to extract the key.

            I don't like the Google Auth plugin only because the data is local to that browser, and I don't know what method of encryption/decryption is used for it or if the key is protected.

            Google Auth as an app on your mobile device is fine, but doesn't sync across devices so you'd be tied to your one phone to generate your codes. However, if you enrolled multiple devices at the time the QR code was on the screen, or keep your TOTP key in a very safe place to enroll other devices, that works around that issue.
            David Hubbard
            CIO
            Miva
            [email protected]
            http://www.miva.com

            Comment


              #7
              I am using the Google Auth App on my phone and so far it works fine. What happens if I get a new phone?
              Highly caffeinated
              http://www.coffeehouseexpress.com

              Comment


                #8
                If you get a new phone, you'll need to generate a new TOTP key via the admin, which will also immediately disable the old key and make the codes on the old phone useless. You can use one of the one-time-use backup access codes for getting in at that point if it was a phone swap and you no longer have the old one, otherwise just have the new one handy when you replace the TOTP key so you can enroll the new phone for use on the next login.
                David Hubbard
                CIO
                Miva
                [email protected]
                http://www.miva.com

                Comment


                  #9

                  Hello David,

                  What about multiple. We have 4 live MIVA sites, and 6 DEV sites (for the 4 live miva sites).

                  1. Would one hardware key be able run all the live sites and devs? or do we need a hardware key for each

                  2. If so, at the beginning I could see 10 new Two Factor setup, however, what happens when we copy the live site and over-wright the dev. We could have two domains, Live and DEV with the same key codes.

                  3. What happens to the above with Google authenticator. If we over wright the dev from the live site, we have two domains with the same Two-Factor Authentication logn for two domains using that original QR code. Does Google authenticator get confused?

                  thanks

                  Kevin
                  AutomotiveWorkwear.com

                  Comment


                    #10
                    Hi Kevin, each Yubikey has a unique signature which a given user can add to any store where they have an account, so just one is needed. Our staff will be using them in that manner for support access too. For a TOTP-based two factor, if a store were cloned, the same TOTP key would be present in both copies for a given user, so they could use the same generated code to log into both stores; the key is unique when it is generated, and there's no way to extract the original key value, but the encrypted key will be copied when the store is cloned. There isn't a way to have the same TOTP key for multiple different stores.
                    David Hubbard
                    CIO
                    Miva
                    [email protected]
                    http://www.miva.com

                    Comment


                      #11
                      Well, the Authy app is working well for us for now. What I like most about it is you can sync with more than one device including desktop.
                      Thank you, Bill Davis

                      Comment


                        #12
                        Originally posted by ILoveHostasaurus View Post
                        Hi Kevin, each Yubikey has a unique signature which a given user can add to any store where they have an account, so just one is needed. Our staff will be using them in that manner for support access too. For a TOTP-based two factor, if a store were cloned, the same TOTP key would be present in both copies for a given user, so they could use the same generated code to log into both stores; the key is unique when it is generated, and there's no way to extract the original key value, but the encrypted key will be copied when the store is cloned. There isn't a way to have the same TOTP key for multiple different stores.
                        Hi David,

                        Trying to deconstruct this and find a solution workable for a particular client's situation:

                        So Yubikey is a USB device, and a client with 5 admins (that's how they want it) will need 5 USB devices. And, for each of those devices, the varied client will need to know which port type each of those admins have prior to purchasing their YubiKey, then the client would need to get each of those admins their device. This seems good for clients that have all of their admins in one building and not scattered across the country. Am I off base in my thinking?

                        Alternately, there is GAuth Authenticator, which is easy enough. But:

                        1. Will all 5 of those admins need to have that authenticator installed on their browser or phone prior to the client setting it up in admin >> domain details >> Password settings >> Enable Two Factor
                        Authentication

                        --Or--

                        2. Can the client enable it, and then each of those 5 can install GAuth Authenticator and set up up their two-factor authentication under Users whenever they access the admin in their own time?

                        Also, I've found the GAuth Authenticator extension for Chrome, but not Firefox. So all 5 admins will have to use Chrome to access their admin, if it is not available for other browser of choice??

                        Thanks for your patience,

                        Jamie




                        Jamie Donaldson
                        JSDVS Web Design / Development
                        Web Design | Web Development | E-commerce Design & Integration

                        Comment


                          #13
                          A client admin and two other dts admins do not show text or checkbox for admin >> domain details >> Password settings >> Enable Two Factor Authentication. This is three different admins that do not have it but all are:

                          Miva Merchant 9.10.01
                          MivaScript Engine v5.31
                          Database API: mysql

                          Now what?

                          Thanks,

                          Jamie
                          Jamie Donaldson
                          JSDVS Web Design / Development
                          Web Design | Web Development | E-commerce Design & Integration

                          Comment


                            #14
                            Originally posted by jsdva View Post

                            Hi David,

                            Trying to deconstruct this and find a solution workable for a particular client's situation:

                            So Yubikey is a USB device, and a client with 5 admins (that's how they want it) will need 5 USB devices. And, for each of those devices, the varied client will need to know which port type each of those admins have prior to purchasing their YubiKey, then the client would need to get each of those admins their device. This seems good for clients that have all of their admins in one building and not scattered across the country. Am I off base in my thinking?

                            Alternately, there is GAuth Authenticator, which is easy enough. But:

                            1. Will all 5 of those admins need to have that authenticator installed on their browser or phone prior to the client setting it up in admin >> domain details >> Password settings >> Enable Two Factor
                            Authentication

                            --Or--

                            2. Can the client enable it, and then each of those 5 can install GAuth Authenticator and set up up their two-factor authentication under Users whenever they access the admin in their own time?

                            Also, I've found the GAuth Authenticator extension for Chrome, but not Firefox. So all 5 admins will have to use Chrome to access their admin, if it is not available for other browser of choice??

                            Thanks for your patience,

                            Jamie



                            With the exception of my annoying MacBook Pro, I haven't encountered a computer that has only USB-C ports, so chances are that client is safe to just buy the normal USB-A keys for everyone and if they happen to have an employee with a MacBook, chances are that person already has the C to A adapters; I carry a few with me at all times lol.

                            The first point to make though is that users can self-enable two factor if they can currently log in, and Yubi doesn't really give price breaks, so the purchase could always be placed as individual orders and shipped direct to the recipients. They're on Amazon too, and 25% off with Prime Day; $30 for Yubikey 4.

                            For doing TOTP instead of Yubikey, users can also self enable that, so they just need to have a TOTP code generator handy before starting the process. If they have a smart phone available, that would be preferable to browser stored, since people often have a tendency to store their credentials in their browser. The business owner should try to keep people from doing browser-based TOTP generation, since a virus could share both the TOTP key (which is used to generate the values) and the store credentials, if both are in the browser and accessible to the virus, and who knows how the browser-based generators store the key. There are also third party TOTP generators like Authy which are cross platform/device.
                            David Hubbard
                            CIO
                            Miva
                            [email protected]
                            http://www.miva.com

                            Comment


                              #15
                              Originally posted by jsdva View Post
                              A client admin and two other dts admins do not show text or checkbox for admin >> domain details >> Password settings >> Enable Two Factor Authentication. This is three different admins that do not have it but all are:

                              Miva Merchant 9.10.01
                              MivaScript Engine v5.31
                              Database API: mysql

                              Now what?

                              Thanks,

                              Jamie
                              Two factor should be managed on a per-user basis just by going into Users, check the user in question, click Two-Factor Authentication. 2FA is on always in 9.10.x so no longer needs to be manually enabled.
                              David Hubbard
                              CIO
                              Miva
                              [email protected]
                              http://www.miva.com

                              Comment

                              Working...
                              X