Passwords alone are not a good authentication mechanism. Too many things can go wrong with passwords for eCommerce retailers to entirely trust them. Users often choose weak passwords or accidentally allow them to fall into the hands of malicious individuals. Particularly in the eCommerce world, where sensitive data, money, and a business’s reputation are on the line, something more than the humble password is needed.
Two-factor authentication is the best way to supplement password logins to make them secure. The more factors of identification a user can present to an authentication system, the higher the chance that they are who they claim to be. When you apply for a bank account, the bank will ask you for several forms of identification: maybe your passport, driver’s license, and a utility bill with your address on it. It would be quite easy for a third-party to get hold of any one of those, but it’s unlikely they can get all three.
Two-factor authentication works on a similar principle. The password is one factor of authentication. It’s something the user knows. If it’s a long and random password that only the user knows, then it’s probably sufficient for secure authentication.
But passwords often fall into the wrong hands, or are chosen poorly and easily guessed. TFA adds another factor of authentication. It can be something that’s permanently part of the user, like the fingerprint system in recent iPhones. Or it can be something in the user’s possession, like their phone or a small device created for the purpose.
The most common form — and the one used by the Sentry Magento Two-Factor authentication plugin — relies on a mobile device in the possession of the user with an app installed. The app produces number which is entered into the store’s login interface. The number proves that the user has access to the authenticated device. Each number only works for a short time, so the eCommerce store can be sure that the user has the device in their possession right when they are logging in.
Depending on the system in use, the number can be entered into Magento’s login interface by the user or sent to the store directly by the device — in both cases the principle is the same; the user has to prove they know their password and have the TFA device in their possession. A hacker might steal the password, and they might steal the phone, but getting both together is vastly more unlikely. And, if the phone is stolen or lost, it can simply be removed from the TFA system, rendering it useless to a hacker.
Two-factor authentication uses a third-party service that creates the TFA application and manages various parts of the process. If you use Google’s services, you’re probably already familiar with Google Authenticator. TFA for Magento can use Google Authenticator and other services, such at Duo Mobile.
The mechanism behind this form of TFA is quite complex, but in a nutshell, an application on the phone and the TFA service share a secret: a long complex number that’s utterly impossible to guess. The device and the service do some clever maths that involves that number and the current time to create the code the user sends to authenticate. Because no-one else knows the secret, it’s impossible for them to know the number and if they find out the number, it will be too late because it only works for 30 seconds.
Two-factor authentication can significant enhance the security of Magento stores, and with the Sentry Magento TFA extension, it’s simple to install and configure.