Should be time-based or counter-based (HOTP/TOTP), and support the Google Authenticator mobile app.
PHP HTML CSS JavaScript

readme.md

Magento: Two-Factor-Authentication

Build Status Code Climate

Implementation of an two-factor-authentication using Google's 2-Step Verification algorithm.

Abstract

Admin (backend) users whose role's resources are in the list of protected resources, are asked to enter one-time security code generated by the Google Authenticator app on their mobile phone after they have authenticated themselves in the admin by using standard login dialog. This ensures that critical resources in the admin have extra protection layer that cannot be accessed by third parties without one-time security code. It includes cases when someone's laptop is stolen or accessed by third parties.

NOTE: Default login will be also required to login! 2FA is only an additional login to increase the security.

How to use it

  • Install Google Authenticator app to your smartphone
  • Install this extension via Composer or modman
  • Log in to Magento admin
  • You will be requested to scan the QR code with the Google Authenticator app and define security questions
  • Continue Log in

Installation using Composer

Add "magento-hackathon/magento-two-factor-authentication": "*" to the require section of your composer.json file or add it by calling the Composer shell command:

composer require magento-hackathon/magento-two-factor-authentication:*

Contributors

This project was initiated at the Magento Worldwide Online Hackathon, Januar 2014 and started as a proof-of-concept. The project was continued during the Pre-Imagine MageHackathon on May 11, 2014 and received further updates and maintenance from community members after this time.

License

MIT License (MIT)

Fancy Images

Admin-Usage

Step 1 - Login in Admin-Panel

Login in Admin

Step 2 - Link Admin with Google Authenticator - just scan the Barcode

Link account to AuthenticatorApp

Step 3 - Redirect to "Two-Factor Authentication Setup"

My Account in Admin

After inital setup everything is simpler:
Login

Login in Admin

Enter code after Login

Enter code from Authenticator

Customer-Usage

Step 1 - Customer-Login

Login in customer account

Step 2 - Find the menu in customer account

Click the link

Step 3 - activate it for customer

Activate Two-Factor-Authentication for customer account

After inital setup everything is simpler:
Login

Customer login

Enter code after Login

Enter code from Authenticator

Recovery

Reset token for admin-user (other account with access needed of course)

Reset token for user

Reset Token for customer (admin-access needed)

Reset token for customer