Two factor authentication implementation...

slob54

New member
Hi all.. I am developing a website for my dad's men's wear store. We are planning to add online shopping features to the website. We are considering two factor authentication to prevent unauthorized access and thinking to approach <URL snipped>. What is your opinion on implementing TOTP for the website? Is it more secure? Is it possible to do the two factor authentication by myself? If so, please tell, how can I implement it?Please do reply asap
 
One has to ask why.

If major retailers haven't gone down this road, then why would you want to? Target, Walmart, Amazon, Newegg, Ebay... These aren't small sites, and they've all avoided this for now.

It comes down to the amount of time put in vs the amount of frustration and reward. This is one you're probably going to have to rethink. I can't count the number of times I've taken 2fa off of sites just because it just doesn't work as well as it should.

Users get frustrated, they leave when you present them with more complications. That just cost you a customer.
 
One has to ask why.

If major retailers haven't gone down this road, then why would you want to? Target, Walmart, Amazon, Newegg, Ebay... These aren't small sites, and they've all avoided this for now.

It comes down to the amount of time put in vs the amount of frustration and reward. This is one you're probably going to have to rethink. I can't count the number of times I've taken 2fa off of sites just because it just doesn't work as well as it should.

Users get frustrated, they leave when you present them with more complications. That just cost you a customer.

Ok.. Then could you please tell me some reliable means to secure the user side?
 
Ok.. Then could you please tell me some reliable means to secure the user side?

You will need a combination
Install an SSL
Check and limit use of weak passwords
Have security Question added to your system during password recovery.
You may also (If really necessary) demand a password change after X months.
Unless its necessary you may also not store CC

The list is definitely endless just determine what is best suited for you.
 
I wouldn't really recommend password changes, or password strength requirements, as this will just cause more security issues down the road.

As far as storing their card, don't do it directly, but go with a token based processor, such as Quantum Vault or authorize.net or even stripe. Make them do the heavy lifting for you.

Adding to the above post though, let your users know somehow when they last logged in, what IP from. Why? If they don't recognize it, they'll contact you.

Make sure you store all logins for the customer. Time, date, ip, hostname. Why ? It'll make things much easier for you in the longrun.

Security questions are good, but don't make them too good. Remember, not everyone is married, dating someone, has a car, drives, has a pet. Stick with the basics, and allowing them to write their own question is always a good thing.
 
I wouldn't really recommend password changes, or password strength requirements, as this will just cause more security issues down the road.

How?

You check with any security expert and they will also recommend regular password changes and set up password strength requirements which provides better security.

we have password strength requirements set and have our system set so users are forced to change their passwords every 3 months.
 
Anything you do to frustrate your customers is going to cost you a customer. While many people (myself included) swear by password managers for websites and do come up with some rather complicated ones, the majority do not and won't. If they see you forcing them to change their password, or come up with a complexity they don't like, they'll leave.

Again, look at the example of the major sites and go from there. Yes, there are a few that require password changes, but most do not, and for a reason. Customers tend to just simply walk away, with their pocketbooks in hand.
 
Anything you do to frustrate your customers is going to cost you a customer. While many people (myself included) swear by password managers for websites and do come up with some rather complicated ones, the majority do not and won't. If they see you forcing them to change their password, or come up with a complexity they don't like, they'll leave.

Again, look at the example of the major sites and go from there. Yes, there are a few that require password changes, but most do not, and for a reason. Customers tend to just simply walk away, with their pocketbooks in hand.
never lost any customer due to this since i started in 1999.

even WHMCS now require its users to change their passwords on a regular basis.

1 reason many accounts get hacked etc. is due to people using simple word passwords. yes most people wont use password managers, so you need to educate these into making sure their sites are secure in as many ways as possible and if that means them to change their passwords on a regular basis then be it.
 
Last edited:
Anything you do to frustrate your customers is going to cost you a customer. While many people (myself included) swear by password managers for websites and do come up with some rather complicated ones, the majority do not and won't. If they see you forcing them to change their password, or come up with a complexity they don't like, they'll leave.

Again, look at the example of the major sites and go from there. Yes, there are a few that require password changes, but most do not, and for a reason. Customers tend to just simply walk away, with their pocketbooks in hand.

To the best of our knowledge we have not lost a client due to asking that they pick a fairly secure password BUT even if that were the case, I would rather lose a client than compromize their security because I want it to be so easy for them. To me security is number 1 along that route.
 
To the best of our knowledge we have not lost a client due to asking that they pick a fairly secure password BUT even if that were the case, I would rather lose a client than compromize their security because I want it to be so easy for them. To me security is number 1 along that route.

I agree, if a client will not use a secure password then they could compromise the whole server if someone gains access to their site, so are these clients worth keeping.
 
I agree, if a client will not use a secure password then they could compromise the whole server if someone gains access to their site, so are these clients worth keeping.

By the way as long as you guide the client on what they need in their password to be secure, they very easily follow. Of course since sometimes they may forget the secure password the "Forgot Password" should be easy to see and Use to limit those frustrations.
 
We're not talking hosting accounts here, we're talking a shop, a store. If a hosting client has a bad password, then yes, something could be compromised on the server. If a store has a bad password, well, all that's going to happen is their account will get hacked and someone can order using it. Big, big difference here.
 
If a store has a bad password, well, all that's going to happen is their account will get hacked and someone can order using it.

WRONG. what do you store in an account

name
address
DOB
credit card details
etc.

a lot can happen due to weak passwords (ID theft) and even in an online store a sophisticated gang could hack into your account and then find a way into the stores server.
 
It is definitely more secure and quite easy to set up. Google 'How to set up two-factor authentication' and you will find plenty useful tutorials. I set up one myself and it took only couple of hours.
 
I will suggest not to bother user to confirm their identity with Two-Factor Auth every time when they want to log in!
On the other hand, you may perform a basis check of IP address when they login. Assuming that you store login IP Addresses history, you may compare locations! If once the login IP is from Kazakhstan and the user is from USA, and he usually login from USA, then you may push Two-Factor Auto to confirm his identity.
You can also push T-F Auth on big orders.
 
I agree with people that you should avoid making things a hassle for your customers. At the same time, certain customers (especially any larger, stricter companies that you may or may not get) may wish to have additional security measures in place.

You could meet your clients in the middle. Have a mix of the standard: SSL certificate, password strength hints etc but then offer 2 factor to those that want to enable in the clients portal. Those that want it, have it. Those that would have stopped buying from you simply don't have to enable it.

@1wayhosting - Google uses Geo detection when you sign in to any Google service and will act according to how a profile is set up. In some cases it will just send an alert to the backup email account informing them a login to place, the general location an device. But if set to do so, it can actually block the login until you provide additional verification (SMS, secret q answer etc).
 
cPanel now provide Two-Factor Auth which can be enabled in the root WHM.
This then places a icon in clients cPanel, so clients can chose to enable this or not.

Yes it may but some clients off, but for us as business owners the more lines of security we can use helps protect our infrastructures
 
Personally, two-factor authentication is really something which should be available as a feature on all major websites or places where crucial data is being stored.

Nowadays there are a lot of different services which help to make the two-factor authentication process for the client as smooth as possible to name a few - Google Authenticator , Authy , LastPass ( Now supports Two Factor ).
 
Back
Top