cancel
Showing results for 
Search instead for 
Did you mean: 

Enable FIDO Strong-Authentication

Enable FIDO Strong-Authentication

With all the data-breaches and insecurity on the internet, it would be helpful if Magento enabled FIDO strong-authentication as a standard feature to protect user accounts from getting hacked.  Savvy users can then choose to protect themselves with a FIDO Authenticator instead of just userid/passwords.

 

FIDO is an industry-standard security protocol for web-applications, currently enabled on sites like Google, Facebook, SFDC and many other sites.  It will soon be standardized by the W3C for WebAuthentication.  But, by having Magento include it as a standard feature, it will enable one of the strongest authentication protocols on the market for Magento sites and their customers. 

 

We will be happy to provide some source-code to enable this - we've already implemented the core protocol into Magento 2, but since we're not Magento experts, we'd ideally like to see Magento include/adapt it into their core product. 

 

Let me know how we can help further.  Thanks.

3 Comments
Super Contributor

yes, there are lots of 2FA plugins already for magento 2.

they must add it to configuration options.

 

but as you can see this is only good for admin , not for frontend customers.

 

------------
MagenX - Magento and Server optimization
Frequent Visitor

I had not intended to mention this earlier, in case it is perceived as self-promotion, but at Noon EST today (November 14, 2017), we are demonstrating the use of FIDO for end-users in a Magento 2 purchase-flow, as part of a project with the US NIST National Cybersecurity Center of Excellence to enable Multi-factor Authentication for e-Commerce. The webinar is free to attend and you can register here.

Frequent Visitor

You can test FIDO inside Magento by navigating to our Magento Demo, registering a test account with a FIDO Security Key and waking through a few purchasing transactions.  Please note that the demo is a proof-of-concept and neither uses production-quality code nor incorporates necessary user-key management functions in the UX.  Other requirements are:

  • You must use the Chrome browser - v43 or greater - to use FIDO;
  • You must have a FIDO Certified U2F Authenticator to test the process;
  • You do not need to use a real e-mail address - we do not need it for anything;
  • You do not need to put in a real physical address - we will not be shipping anything;
  • You do not need to put in a credit-card number anywhere - we do not ask for it anywhere;
  • Transactions less than USD25 will not trigger FIDO strong-authentication - this was hard-coded for  testing;
  • Transactions greater than USD25 will trigger FIDO strong-authentication.

I will update this thread with a link to source-code and documentation on the changes we made to Magento 2 for FIDO.  I encourage interested parties to learn how the simple step of FIDO-enabling an e-commerce application has the potential to eliminate fraud while strengthening the relationship between merchants and their customers.