Hosting Discussion

Hosting Discussion (http://www.hostingdiscussion.com/)
-   Website Development & Design (http://www.hostingdiscussion.com/website-development-design/)
-   -   Two factor authentication implementation... (http://www.hostingdiscussion.com/website-development-design/41907-two-factor-authentication-implementation.html)


slob54 05-17-2016 04:10 AM

Two factor authentication implementation...
 
Hi all.. I am developing a website for my dad's men's wear store. We are planning to add online shopping features to the website. We are considering two factor authentication to prevent unauthorized access and thinking to approach <URL snipped>. What is your opinion on implementing TOTP for the website? Is it more secure? Is it possible to do the two factor authentication by myself? If so, please tell, how can I implement it?Please do reply asap

cheapdedicated 05-17-2016 11:50 AM

If you use wordpress you may consider a plugin called Two Factor Auth

whmcsguru 05-17-2016 04:05 PM

One has to ask why.

If major retailers haven't gone down this road, then why would you want to? Target, Walmart, Amazon, Newegg, Ebay... These aren't small sites, and they've all avoided this for now.

It comes down to the amount of time put in vs the amount of frustration and reward. This is one you're probably going to have to rethink. I can't count the number of times I've taken 2fa off of sites just because it just doesn't work as well as it should.

Users get frustrated, they leave when you present them with more complications. That just cost you a customer.

slob54 05-18-2016 01:31 AM

Quote:

Originally Posted by whmcsguru (Post 191582)
One has to ask why.

If major retailers haven't gone down this road, then why would you want to? Target, Walmart, Amazon, Newegg, Ebay... These aren't small sites, and they've all avoided this for now.

It comes down to the amount of time put in vs the amount of frustration and reward. This is one you're probably going to have to rethink. I can't count the number of times I've taken 2fa off of sites just because it just doesn't work as well as it should.

Users get frustrated, they leave when you present them with more complications. That just cost you a customer.

Ok.. Then could you please tell me some reliable means to secure the user side?

cheapdedicated 05-18-2016 03:53 AM

Quote:

Originally Posted by slob54 (Post 191614)
Ok.. Then could you please tell me some reliable means to secure the user side?

You will need a combination
Install an SSL
Check and limit use of weak passwords
Have security Question added to your system during password recovery.
You may also (If really necessary) demand a password change after X months.
Unless its necessary you may also not store CC

The list is definitely endless just determine what is best suited for you.

whmcsguru 05-18-2016 07:07 AM

I wouldn't really recommend password changes, or password strength requirements, as this will just cause more security issues down the road.

As far as storing their card, don't do it directly, but go with a token based processor, such as Quantum Vault or authorize.net or even stripe. Make them do the heavy lifting for you.

Adding to the above post though, let your users know somehow when they last logged in, what IP from. Why? If they don't recognize it, they'll contact you.

Make sure you store all logins for the customer. Time, date, ip, hostname. Why ? It'll make things much easier for you in the longrun.

Security questions are good, but don't make them too good. Remember, not everyone is married, dating someone, has a car, drives, has a pet. Stick with the basics, and allowing them to write their own question is always a good thing.

easyhostmedia 05-18-2016 07:18 AM

Quote:

Originally Posted by whmcsguru (Post 191634)
I wouldn't really recommend password changes, or password strength requirements, as this will just cause more security issues down the road.

How?

You check with any security expert and they will also recommend regular password changes and set up password strength requirements which provides better security.

we have password strength requirements set and have our system set so users are forced to change their passwords every 3 months.

whmcsguru 05-18-2016 07:35 AM

Anything you do to frustrate your customers is going to cost you a customer. While many people (myself included) swear by password managers for websites and do come up with some rather complicated ones, the majority do not and won't. If they see you forcing them to change their password, or come up with a complexity they don't like, they'll leave.

Again, look at the example of the major sites and go from there. Yes, there are a few that require password changes, but most do not, and for a reason. Customers tend to just simply walk away, with their pocketbooks in hand.

easyhostmedia 05-18-2016 07:44 AM

Quote:

Originally Posted by whmcsguru (Post 191640)
Anything you do to frustrate your customers is going to cost you a customer. While many people (myself included) swear by password managers for websites and do come up with some rather complicated ones, the majority do not and won't. If they see you forcing them to change their password, or come up with a complexity they don't like, they'll leave.

Again, look at the example of the major sites and go from there. Yes, there are a few that require password changes, but most do not, and for a reason. Customers tend to just simply walk away, with their pocketbooks in hand.

never lost any customer due to this since i started in 1999.

even WHMCS now require its users to change their passwords on a regular basis.

1 reason many accounts get hacked etc. is due to people using simple word passwords. yes most people wont use password managers, so you need to educate these into making sure their sites are secure in as many ways as possible and if that means them to change their passwords on a regular basis then be it.

cheapdedicated 05-18-2016 07:55 AM

Quote:

Originally Posted by whmcsguru (Post 191640)
Anything you do to frustrate your customers is going to cost you a customer. While many people (myself included) swear by password managers for websites and do come up with some rather complicated ones, the majority do not and won't. If they see you forcing them to change their password, or come up with a complexity they don't like, they'll leave.

Again, look at the example of the major sites and go from there. Yes, there are a few that require password changes, but most do not, and for a reason. Customers tend to just simply walk away, with their pocketbooks in hand.

To the best of our knowledge we have not lost a client due to asking that they pick a fairly secure password BUT even if that were the case, I would rather lose a client than compromize their security because I want it to be so easy for them. To me security is number 1 along that route.

easyhostmedia 05-18-2016 08:13 AM

Quote:

Originally Posted by cheapdedicated (Post 191642)
To the best of our knowledge we have not lost a client due to asking that they pick a fairly secure password BUT even if that were the case, I would rather lose a client than compromize their security because I want it to be so easy for them. To me security is number 1 along that route.

I agree, if a client will not use a secure password then they could compromise the whole server if someone gains access to their site, so are these clients worth keeping.

cheapdedicated 05-18-2016 08:18 AM

Quote:

Originally Posted by easyhostmedia (Post 191643)
I agree, if a client will not use a secure password then they could compromise the whole server if someone gains access to their site, so are these clients worth keeping.

By the way as long as you guide the client on what they need in their password to be secure, they very easily follow. Of course since sometimes they may forget the secure password the "Forgot Password" should be easy to see and Use to limit those frustrations.

whmcsguru 05-18-2016 11:55 AM

We're not talking hosting accounts here, we're talking a shop, a store. If a hosting client has a bad password, then yes, something could be compromised on the server. If a store has a bad password, well, all that's going to happen is their account will get hacked and someone can order using it. Big, big difference here.

easyhostmedia 05-18-2016 12:03 PM

Quote:

Originally Posted by whmcsguru (Post 191650)
If a store has a bad password, well, all that's going to happen is their account will get hacked and someone can order using it.

WRONG. what do you store in an account

name
address
DOB
credit card details
etc.

a lot can happen due to weak passwords (ID theft) and even in an online store a sophisticated gang could hack into your account and then find a way into the stores server.

WiredBladeCom 07-26-2016 04:39 PM

It is definitely more secure and quite easy to set up. Google 'How to set up two-factor authentication' and you will find plenty useful tutorials. I set up one myself and it took only couple of hours.


All times are GMT -6. The time now is 11:57 PM.

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Search Engine Friendly URLs by vBSEO 3.1.0