Hi all.. I am developing a website for my dad's men's wear store. We are planning to add online shopping features to the website. We are considering two factor authentication to prevent unauthorized access and thinking to approach <URL snipped>. What is your opinion on implementing TOTP for the website? Is it more secure? Is it possible to do the two factor authentication by myself? If so, please tell, how can I implement it?Please do reply asap
Two factor authentication implementation...
- Thread starter slob54
- Start date
cheapdedicated
New member
If you use wordpress you may consider a plugin called Two Factor Auth
whmcsguru
Active member
One has to ask why.
If major retailers haven't gone down this road, then why would you want to? Target, Walmart, Amazon, Newegg, Ebay... These aren't small sites, and they've all avoided this for now.
It comes down to the amount of time put in vs the amount of frustration and reward. This is one you're probably going to have to rethink. I can't count the number of times I've taken 2fa off of sites just because it just doesn't work as well as it should.
Users get frustrated, they leave when you present them with more complications. That just cost you a customer.
If major retailers haven't gone down this road, then why would you want to? Target, Walmart, Amazon, Newegg, Ebay... These aren't small sites, and they've all avoided this for now.
It comes down to the amount of time put in vs the amount of frustration and reward. This is one you're probably going to have to rethink. I can't count the number of times I've taken 2fa off of sites just because it just doesn't work as well as it should.
Users get frustrated, they leave when you present them with more complications. That just cost you a customer.
Ok.. Then could you please tell me some reliable means to secure the user side?
cheapdedicated
New member
You will need a combination
Install an SSL
Check and limit use of weak passwords
Have security Question added to your system during password recovery.
You may also (If really necessary) demand a password change after X months.
Unless its necessary you may also not store CC
The list is definitely endless just determine what is best suited for you.
whmcsguru
Active member
I wouldn't really recommend password changes, or password strength requirements, as this will just cause more security issues down the road.
As far as storing their card, don't do it directly, but go with a token based processor, such as Quantum Vault or authorize.net or even stripe. Make them do the heavy lifting for you.
Adding to the above post though, let your users know somehow when they last logged in, what IP from. Why? If they don't recognize it, they'll contact you.
Make sure you store all logins for the customer. Time, date, ip, hostname. Why ? It'll make things much easier for you in the longrun.
Security questions are good, but don't make them too good. Remember, not everyone is married, dating someone, has a car, drives, has a pet. Stick with the basics, and allowing them to write their own question is always a good thing.
As far as storing their card, don't do it directly, but go with a token based processor, such as Quantum Vault or authorize.net or even stripe. Make them do the heavy lifting for you.
Adding to the above post though, let your users know somehow when they last logged in, what IP from. Why? If they don't recognize it, they'll contact you.
Make sure you store all logins for the customer. Time, date, ip, hostname. Why ? It'll make things much easier for you in the longrun.
Security questions are good, but don't make them too good. Remember, not everyone is married, dating someone, has a car, drives, has a pet. Stick with the basics, and allowing them to write their own question is always a good thing.
easyhostmedia
Well-known member
How?
You check with any security expert and they will also recommend regular password changes and set up password strength requirements which provides better security.
we have password strength requirements set and have our system set so users are forced to change their passwords every 3 months.
whmcsguru
Active member
Anything you do to frustrate your customers is going to cost you a customer. While many people (myself included) swear by password managers for websites and do come up with some rather complicated ones, the majority do not and won't. If they see you forcing them to change their password, or come up with a complexity they don't like, they'll leave.
Again, look at the example of the major sites and go from there. Yes, there are a few that require password changes, but most do not, and for a reason. Customers tend to just simply walk away, with their pocketbooks in hand.
Again, look at the example of the major sites and go from there. Yes, there are a few that require password changes, but most do not, and for a reason. Customers tend to just simply walk away, with their pocketbooks in hand.
easyhostmedia
Well-known member
never lost any customer due to this since i started in 1999.
even WHMCS now require its users to change their passwords on a regular basis.
1 reason many accounts get hacked etc. is due to people using simple word passwords. yes most people wont use password managers, so you need to educate these into making sure their sites are secure in as many ways as possible and if that means them to change their passwords on a regular basis then be it.
Last edited:
cheapdedicated
New member
To the best of our knowledge we have not lost a client due to asking that they pick a fairly secure password BUT even if that were the case, I would rather lose a client than compromize their security because I want it to be so easy for them. To me security is number 1 along that route.
easyhostmedia
Well-known member
I agree, if a client will not use a secure password then they could compromise the whole server if someone gains access to their site, so are these clients worth keeping.
cheapdedicated
New member
By the way as long as you guide the client on what they need in their password to be secure, they very easily follow. Of course since sometimes they may forget the secure password the "Forgot Password" should be easy to see and Use to limit those frustrations.
whmcsguru
Active member
We're not talking hosting accounts here, we're talking a shop, a store. If a hosting client has a bad password, then yes, something could be compromised on the server. If a store has a bad password, well, all that's going to happen is their account will get hacked and someone can order using it. Big, big difference here.
easyhostmedia
Well-known member
WRONG. what do you store in an account
name
address
DOB
credit card details
etc.
a lot can happen due to weak passwords (ID theft) and even in an online store a sophisticated gang could hack into your account and then find a way into the stores server.
WiredBladeCom
Member
It is definitely more secure and quite easy to set up. Google 'How to set up two-factor authentication' and you will find plenty useful tutorials. I set up one myself and it took only couple of hours.
I will suggest not to bother user to confirm their identity with Two-Factor Auth every time when they want to log in!
On the other hand, you may perform a basis check of IP address when they login. Assuming that you store login IP Addresses history, you may compare locations! If once the login IP is from Kazakhstan and the user is from USA, and he usually login from USA, then you may push Two-Factor Auto to confirm his identity.
You can also push T-F Auth on big orders.
On the other hand, you may perform a basis check of IP address when they login. Assuming that you store login IP Addresses history, you may compare locations! If once the login IP is from Kazakhstan and the user is from USA, and he usually login from USA, then you may push Two-Factor Auto to confirm his identity.
You can also push T-F Auth on big orders.
Alex - A2 Hosting
Active member
I agree with people that you should avoid making things a hassle for your customers. At the same time, certain customers (especially any larger, stricter companies that you may or may not get) may wish to have additional security measures in place.
You could meet your clients in the middle. Have a mix of the standard: SSL certificate, password strength hints etc but then offer 2 factor to those that want to enable in the clients portal. Those that want it, have it. Those that would have stopped buying from you simply don't have to enable it.
@1wayhosting - Google uses Geo detection when you sign in to any Google service and will act according to how a profile is set up. In some cases it will just send an alert to the backup email account informing them a login to place, the general location an device. But if set to do so, it can actually block the login until you provide additional verification (SMS, secret q answer etc).
You could meet your clients in the middle. Have a mix of the standard: SSL certificate, password strength hints etc but then offer 2 factor to those that want to enable in the clients portal. Those that want it, have it. Those that would have stopped buying from you simply don't have to enable it.
@1wayhosting - Google uses Geo detection when you sign in to any Google service and will act according to how a profile is set up. In some cases it will just send an alert to the backup email account informing them a login to place, the general location an device. But if set to do so, it can actually block the login until you provide additional verification (SMS, secret q answer etc).
There was an interesting small article out yesterday discussing how NIST is now recommending that SMS should no longer be used in TFA.
https://www.engadget.com/2016/07/26/nist-sms-two-factor-authentication-guidelines/
https://www.engadget.com/2016/07/26/nist-sms-two-factor-authentication-guidelines/
easyhostmedia
Well-known member
cPanel now provide Two-Factor Auth which can be enabled in the root WHM.
This then places a icon in clients cPanel, so clients can chose to enable this or not.
Yes it may but some clients off, but for us as business owners the more lines of security we can use helps protect our infrastructures
This then places a icon in clients cPanel, so clients can chose to enable this or not.
Yes it may but some clients off, but for us as business owners the more lines of security we can use helps protect our infrastructures
serverbundle
New member
Personally, two-factor authentication is really something which should be available as a feature on all major websites or places where crucial data is being stored.
Nowadays there are a lot of different services which help to make the two-factor authentication process for the client as smooth as possible to name a few - Google Authenticator , Authy , LastPass ( Now supports Two Factor ).
Nowadays there are a lot of different services which help to make the two-factor authentication process for the client as smooth as possible to name a few - Google Authenticator , Authy , LastPass ( Now supports Two Factor ).
Latest posts
-
Google sells domain division to Squarespace - DNS edits are a nightmare- Latest: Greenhost.cloud
-
Migrating from cPanel to DirectAdmin: Your Experiences?
- Latest: Greenhost.cloud
-
Forum supporters
Save 37% Off Plesk License
Official Plesk Partner, Instant License Delivery, No Contract Commitment. Grab Your Savings NOW!
cplicense.net
Official Plesk Partner, Instant License Delivery, No Contract Commitment. Grab Your Savings NOW!
cplicense.net
Up to 30% Off on KVM VPS
Significant discounts on KVM VPS SSD. Worldwide Locations. Full Root Access. Instant Deployment.
greenwebpage.com
Significant discounts on KVM VPS SSD. Worldwide Locations. Full Root Access. Instant Deployment.
greenwebpage.com