Announcement

Collapse
No announcement yet.

Two Factor Authentication Clarification

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Two Factor Authentication Clarification

    We manage several miva accounts. We went through and upgraded them all and selected TOTP for Two-Factor Authentication. Two of us in the office installed Google Authenticator and all seemed to be working well. But how can we both access all the accounts without the others cell phone? Is there not a way to do this from a desktop instead of a cell phone?

  • Are you all trying to use the same account? If so, I think that would defeat the purpose.
    Leslie Kirk
    Miva Merchant Certified Developer
    Miva Merchant Specialist since 1997
    Previously of Webs Your Way
    (aka Leslie Nord leslienord)

    Email me: [email protected]
    www.lesliekirk.com

    Follow me: Twitter | Facebook | FourSquare | Pinterest | Flickr

    Comment


    • We both use the same username/password to login to the Miva admin area because we have different roles and are never logged in the store at the same time.

      Comment


      • The current intent in Miva Merchant's user configuration is for every person interacting with a given store to have their own unique account. There are no license limits on number of users, just simultaneous logins, so there's really no monetary or technical reason anyone should be sharing accounts at this point.

        The intent of trying to force the use of unique accounts is not only for security, but also for auditing, so any given change can be attributed to the user who made it. Each user, in current versions, will have an email address associated with their username, and at first login from any given device, will have to complete the browser validation process via a received email. Assuming two people shared access to the same email account, and both had access to a shared two factor token (such as TOTP where it is technically possible), you could get around this, albeit with some annoyance from each other invalidating the browser validation while flip flopping between computers, and possibly even logging one another out since simultaneous access would not work, but otherwise it is technically possible.
        David Hubbard
        CIO
        Miva
        [email protected]
        http://www.miva.com

        Comment


        • Not providing a solution here, just passing on some 1st hand experience.

          There is a Chrome plugin/extension for the Google Auth app. I started using it instead of my smartphone. Then, the app crashed. I lost all the stores that were 2FA up until then. Of the 8, I had backup tokens. I was able to log in and redo 2FA on the external device. For me the two lessons were:

          1) avoid using a browser extension
          2) ALWAYS download the Backup Tokens and store them in an accessible spot. I think it's a good idea since only I can log into my account (LOL AFAIK), I use my Google Drive space. If I don't have my cell for some reason, there is a way to grab a backup token.

          Scott
          Last edited by ids; 12-05-18, 11:55 AM.
          What help do you need today!
          Interactive Design Solutions http://www.southbound.com
          MivaMerchant Business Partner | Certified MivaMerchant Web Developer
          My T-shirt Collection is mostly MivaCon T-shirts!!
          Competitive Rates, Popular Modules, and Integrations:
          Product Copy | AutoBaskets | Waitlist Integration| Wholesale Integration

          Comment


          • A more important reason to avoid a browser extension TOTP code generator is that a computer compromise usually means the two factor no longer protects the account in question. Depending on the browser extension, it may also present an even worse situation, which would be allowing the TOTP key to be extracted in plain text by the attacker. With that, they would be able generate the same codes. This is the downside of TOTP and why hardware tokens are attractive; can't clone those regardless of whether the computer has malware.
            David Hubbard
            CIO
            Miva
            [email protected]
            http://www.miva.com

            Comment


            • Hmmm, I've been using Google Auth so far; but in light of this info, I might switch to a hardware key. Is it difficult to change the admin accounts at all my clients' stores, so that they use the key instead of the app? How would I do that?

              Thanks --
              Kent Multer
              Magic Metal Productions
              http://TheMagicM.com
              * Web developer/designer
              * E-commerce and Miva
              * Author, The Official Miva Web Scripting Book -- available on-line:
              http://www.amazon.com/exec/obidos/IS...icmetalproducA

              Comment


              • Google Auth worries me much less than browser extension since the key is contained only (in theory) on the phone where the key was entered, and one would hope that Google has put the proper measures into the app to make the key impossible to extract in plain text, even with root access to the phone. However, you never know, and it still isn't as secure as hardware.

                In any case, changing your second factor is pretty easy. Log in, go to Users, find yourself and click Two-Factor Authentication, click Disable to turn off your current method, and then it will immediately allow you to enroll a new (or same) method and give you new backup keys. This is also a way to get new backup keys if the prior ones had been used up, even if not changing the method.

                Alternatively, an admin can also disable two factor for another admin and it will force them to enroll a new one upon next login.
                David Hubbard
                CIO
                Miva
                [email protected]
                http://www.miva.com

                Comment

                Working...
                X

                This website uses cookies to identify visitors, track visitors to our website, store login session information and to remember your user preferences. By continuing to use this site you agree to our use of cookies. Learn More.

                This website uses cookies. By continuing to use this site you agree to our use of cookies. Learn More.

                Accept