psromanov Merchant Depuis United States Membre depuis août 2024 psromanov 15 oct. 2024 01:36 Hey Tim & fellow litecarters! Two-factor authentication is being implemented almost everywhere these days. Was wondering, are you planning to add it to the upcoming release – mostly for admin access, but customer-side implementation might be also a great idea. If there are no plans to implement it in the near future, what do you guys use for extra security on the admin access side of things? Thank you!
kuopassa Developer Depuis Finland Membre depuis oct. 2017 kuopassa 15 oct. 2024 15:08 Maybe the /admin/ folder could at least be behind .htpasswd if it's not already? PS. Demo version at https://demo.litecart.net/admin/ is broken.
psromanov Merchant Depuis United States Membre depuis août 2024 psromanov 15 oct. 2024 15:32 Maybe the /admin/ folder could at least be behind .htpasswd if it's not already? Well, it's not 'admin' in my case and admin username is not 'root' or 'admin' either, also the password is complicated non-phrase combination for a start. Adding additional layer of protection would be different KIND of protection. In the end of the day, passwords are hackable - either by interfering the traffic, or by hijacking the router, even though I have hardcore firewall, but then again I might access the admin panel in a public space using cell tower which is infiltrated by bad actor. I was looking more into adding admin panel to the tailscale subnet, to make it literally unaccessable outside of vpn-configuration, but I find it hard to implement using the same domain. So going back to to the my main point – 2FA would resolve it rather quickly.
tim Founder Depuis Sweden Membre depuis mai 2013 tim 15 oct. 2024 17:36 It's on my wishlist. Pull requests are welcome. Edit: Implemented for 3.0 using 2FA over email. Configurable per account.
psromanov Merchant Depuis United States Membre depuis août 2024 psromanov 16 oct. 2024 00:34 Edit: Implemented for 3.0 using 2FA over email. Configurable per account Tim, honestly, this is phenomenal news! Thank you so much for that. Looking forward to 3.0 release now! Should we anticipate 2FA app integration, like Google Authenticator or such?
tim Founder Depuis Sweden Membre depuis mai 2013 tim 16 oct. 2024 06:17 If it's possible without dependency libraries I can look into it. Otherwise email will be what comes with the core.
psromanov Merchant Depuis United States Membre depuis août 2024 psromanov 16 oct. 2024 16:13 When I was looking into it, https://medium.com/techvraksh/setup-2fa-using-totp-in-your-app-347e8ff7ad4d I ran into this page, which covers installing TOTP on your own custom domain/app. It does include two dependency libraries, but both are open-source. Load-wise it should be lighter to implement TOTP, rather than email generation, but I don't know what's your implementation strategy looks like. Thank you once again.
s22_tech Moderator Depuis United States Membre depuis oct. 2019 s22_tech 2 janv. 2025 04:16 I, too, would like to see TOTP support. Using an authenticator app is pretty slick, and it's also faster than email. Emails can take up to a minute (and possibly longer) to arrive but TOTP is instantaneous.
