Are you all trying to use the same account? If so, I think that would defeat the purpose.

We both use the same username/password to login to the Miva admin area because we have different roles and are never logged in the store at the same time.

The current intent in Miva Merchant's user configuration is for every person interacting with a given store to have their own unique account. There are no license limits on number of users, just simultaneous logins, so there's really no monetary or technical reason anyone should be sharing accounts at this point.

The intent of trying to force the use of unique accounts is not only for security, but also for auditing, so any given change can be attributed to the user who made it. Each user, in current versions, will have an email address associated with their username, and at first login from any given device, will have to complete the browser validation process via a received email. Assuming two people shared access to the same email account, and both had access to a shared two factor token (such as TOTP where it is technically possible), you could get around this, albeit with some annoyance from each other invalidating the browser validation while flip flopping between computers, and possibly even logging one another out since simultaneous access would not work, but otherwise it is technically possible.

Not providing a solution here, just passing on some 1st hand experience.

There is a Chrome plugin/extension for the Google Auth app. I started using it instead of my smartphone. Then, the app crashed. I lost all the stores that were 2FA up until then. Of the 8, I had backup tokens. I was able to log in and redo 2FA on the external device. For me the two lessons were:

1) avoid using a browser extension
2) ALWAYS download the Backup Tokens and store them in an accessible spot. I think it's a good idea since only I can log into my account (LOL AFAIK), I use my Google Drive space. If I don't have my cell for some reason, there is a way to grab a backup token.

Scott

A more important reason to avoid a browser extension TOTP code generator is that a computer compromise usually means the two factor no longer protects the account in question. Depending on the browser extension, it may also present an even worse situation, which would be allowing the TOTP key to be extracted in plain text by the attacker. With that, they would be able generate the same codes. This is the downside of TOTP and why hardware tokens are attractive; can't clone those regardless of whether the computer has malware.

Hmmm, I've been using Google Auth so far; but in light of this info, I might switch to a hardware key. Is it difficult to change the admin accounts at all my clients' stores, so that they use the key instead of the app? How would I do that?

Thanks --

Google Auth worries me much less than browser extension since the key is contained only (in theory) on the phone where the key was entered, and one would hope that Google has put the proper measures into the app to make the key impossible to extract in plain text, even with root access to the phone. However, you never know, and it still isn't as secure as hardware.

In any case, changing your second factor is pretty easy. Log in, go to Users, find yourself and click Two-Factor Authentication, click Disable to turn off your current method, and then it will immediately allow you to enroll a new (or same) method and give you new backup keys. This is also a way to get new backup keys if the prior ones had been used up, even if not changing the method.

Alternatively, an admin can also disable two factor for another admin and it will force them to enroll a new one upon next login.