Announcement

Collapse
No announcement yet.

Two-Factor Authentication - Authy: multiple users + CRON

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Two-Factor Authentication - Authy: multiple users + CRON

    I need some help or further explanation with two factor authentication, using Authy.

    Background: Clent has 3 Miva seats, which are used in up to 8 different geographic locations, by up to 8 staff members. Here are just a couple of the many typical scenarios faced each day:

    a) Staff member working from home before the business day starts - logs in and uses 1 seat. Staff arrive at main office and login and use 2 seats. Then, staff member in the warehouse needs access to Miva Admin. Calls one of the 3 existing users and gets them to log off. Then logs in. When finished, calls staff member who logged out and that staff member logins in again.

    b) Later in the day, staff member in interstate office needs to login and calls a logged in staff member at head office, to get him/her to log out. Then when task finished, interstate staff member logs out and calls head office to let them know.

    c) CRON job runs a couple of times a day which downloads orders from Miva store, synchronizes product, customer and category data between accounting system and the Miva store. If all 3 seats taken, it boots someone and then runs.

    I have read the docs at Authy and at Miva and I follow all the simple examples given in these docs but I am just not getting how to configure two factor authentication to cater for at least the above situations e.g how many Authy accounts are required 3 or 8 or some other number? How does Authy work for CRON jobs? How would the authentication work for the warehouse guy in the example above?

    The dots are just not connecting for me at present.

    #2
    FYI, I think you can run the cron jobs any time, without them requiring seats, if you use the temporarysession=1 parameter.

    On a related note, I assume that temporary sessions don't need to use two-factor auth?
    Kent Multer
    Magic Metal Productions
    http://TheMagicM.com
    * Web developer/designer
    * E-commerce and Miva
    * Author, The Official Miva Web Scripting Book -- available on-line:
    http://www.amazon.com/exec/obidos/IS...icmetalproducA

    Comment


      #3
      Originally posted by Pete McNamara View Post
      I need some help or further explanation with two factor authentication, using Authy.

      Background: Clent has 3 Miva seats, which are used in up to 8 different geographic locations, by up to 8 staff members. Here are just a couple of the many typical scenarios faced each day:

      a) Staff member working from home before the business day starts - logs in and uses 1 seat. Staff arrive at main office and login and use 2 seats. Then, staff member in the warehouse needs access to Miva Admin. Calls one of the 3 existing users and gets them to log off. Then logs in. When finished, calls staff member who logged out and that staff member logins in again.

      b) Later in the day, staff member in interstate office needs to login and calls a logged in staff member at head office, to get him/her to log out. Then when task finished, interstate staff member logs out and calls head office to let them know.

      c) CRON job runs a couple of times a day which downloads orders from Miva store, synchronizes product, customer and category data between accounting system and the Miva store. If all 3 seats taken, it boots someone and then runs.

      I have read the docs at Authy and at Miva and I follow all the simple examples given in these docs but I am just not getting how to configure two factor authentication to cater for at least the above situations e.g how many Authy accounts are required 3 or 8 or some other number? How does Authy work for CRON jobs? How would the authentication work for the warehouse guy in the example above?

      The dots are just not connecting for me at present.
      I believe Two-Factor Authentication is applicable to Miva Admin Administrator Users. Do all these Users need to have Miva Admin Administrator Access? If the answer is no, then grant them access only to screens/functions they need in order to accomplish their assigned tasks and the whole Two-Factor Authentication becomes a none issue.
      Thank you, Bill Davis

      Comment


        #4
        Originally posted by William Davis View Post

        I believe Two-Factor Authentication is applicable to Miva Admin Administrator Users. Do all these Users need to have Miva Admin Administrator Access? If the answer is no, then grant them access only to screens/functions they need in order to accomplish their assigned tasks and the whole Two-Factor Authentication becomes a none issue.
        It is available, and ideally used, on all users admin or not, given even a non-admin user can still cause damage if unauthorized access were to occur. And yes, even further restrictions on regular users is the ideal setup; 9.10.01 has started to make that process a bit easier with roles so it's no longer going through a long list of on/off rights.
        David Hubbard
        CIO
        Miva
        [email protected]
        http://www.miva.com

        Comment


          #5
          Originally posted by Kent Multer View Post
          FYI, I think you can run the cron jobs any time, without them requiring seats, if you use the temporarysession=1 parameter.

          On a related note, I assume that temporary sessions don't need to use two-factor auth?
          If it's a single-request job that sets the TemporarySession parameter, it will not be impacted by a give store currently operating at its seat limit. Two factor and temporary sessions are not necessarily related; for example, someone with a bookmarked special admin link they need to run on-demand could use a temporary session to not cause seat issues but still use two factor. Now, more importantly, the reason why preexisting admin users have not had two factor mandated is because of scheduled task usage and the new API not being released yet. At some point in the future, once API is out with much more secure ways to accomplish the same things cron jobs with credentials are currently used for, admin rights will require two factor as there should be no need to use a traditional interactive user account for those tasks. There will be advance notice of that since it could break cron jobs.
          David Hubbard
          CIO
          Miva
          [email protected]
          http://www.miva.com

          Comment


            #6
            Originally posted by Pete McNamara View Post
            I need some help or further explanation with two factor authentication, using Authy.

            Background: Clent has 3 Miva seats, which are used in up to 8 different geographic locations, by up to 8 staff members. Here are just a couple of the many typical scenarios faced each day:

            a) Staff member working from home before the business day starts - logs in and uses 1 seat. Staff arrive at main office and login and use 2 seats. Then, staff member in the warehouse needs access to Miva Admin. Calls one of the 3 existing users and gets them to log off. Then logs in. When finished, calls staff member who logged out and that staff member logins in again.

            b) Later in the day, staff member in interstate office needs to login and calls a logged in staff member at head office, to get him/her to log out. Then when task finished, interstate staff member logs out and calls head office to let them know.

            c) CRON job runs a couple of times a day which downloads orders from Miva store, synchronizes product, customer and category data between accounting system and the Miva store. If all 3 seats taken, it boots someone and then runs.

            I have read the docs at Authy and at Miva and I follow all the simple examples given in these docs but I am just not getting how to configure two factor authentication to cater for at least the above situations e.g how many Authy accounts are required 3 or 8 or some other number? How does Authy work for CRON jobs? How would the authentication work for the warehouse guy in the example above?

            The dots are just not connecting for me at present.
            Two factor authentication's only purpose is security; it has no relation to seats, whose purpose is solely to limit the concurrent administrative use to what has been licensed or what is included in the software tier the given business is on. It ideally should be used on all users, whether they have administrative rights or not, as it involves very little extra burden when logging in, while dramatically improving security.

            Generally speaking, each employee of a given company that interacts with a copy of Miva Merchant should have their own unique username, and in fact security changes in Merchant are going to make it increasingly difficult, if not impossible, for users to share credentials given the serious security ramifications that has. Once each user has their own username, they, or the store admin(s), can then activate two factor authentication on a per-user basis. New usernames that are to be given administrative rights will require two factor authentication, and ultimately existing users with administrative rights will need it on as well. All employee usernames should also have an email address added to their user account so they can also have browser authentication occur; another security feature of 9.10+.

            Authy's primary goals are to allow TOTP-based two-factor to be device independent, and secure from key theft. In contrast to some other TOTP code generators, such as Google Authenticator, when you add a key to Authy, it is not stored on just the one device where Google Auth is located. This has the benefit of being able to generate the codes on more than one device, like phone vs tablet, or, if you lose your phone, you can log back in to Authy from a new phone and not have to re-generate all your TOTP keys on every application or website you had a key stored for. Additionally, unlike certain other TOTP generators (typically the browser plugin ones which should generally be avoided), you can't extract the TOTP key back out of Authy, so if your Authy account gets hacked or your iPhone is stolen and someone has access to Authy before you erase it or change your Authy credentials, they can't get the keys out to start generating your codes on their own device.

            Regarding cron jobs, the Miva Merchant API and app passwords should eliminate the issue of cron jobs and seats. You'd use an API credential implemented as a shared key, and the API user would be app-specific and limited in scope to performing just the tasks that are needed; no more need to use an admin level account to perform some otherwise simple task.

            Based on the scenario you outlined, it sounds like the company is losing far more in employee productivity cost than the monthly cost of adding an additional seat or two. Just a few of those phone calls back and forth per month likely cost more than the $50/mo seat charge.
            David Hubbard
            CIO
            Miva
            [email protected]
            http://www.miva.com

            Comment


              #7
              Thanks guys, very good information. The dots are being connected.

              Also @David

              No, extra seats encourages laziness, inefficiency and lack of regard of security such that staff members will leave their browser and seat open while they go off and do other things. If a seat is in short supply, they open it for the minimum time. A kind of "Parkinson's Law" situation.

              Comment

              Working...
              X