cancel
Showing results for 
Search instead for 
Did you mean: 

Enable FIDO Strong-Authentication

Enable FIDO Strong-Authentication

With all the data-breaches and insecurity on the internet, it would be helpful if Magento enabled FIDO strong-authentication as a standard feature to protect user accounts from getting hacked.  Savvy users can then choose to protect themselves with a FIDO Authenticator instead of just userid/passwords.

 

FIDO is an industry-standard security protocol for web-applications, currently enabled on sites like Google, Facebook, SFDC and many other sites.  It will soon be standardized by the W3C for WebAuthentication.  But, by having Magento include it as a standard feature, it will enable one of the strongest authentication protocols on the market for Magento sites and their customers. 

 

We will be happy to provide some source-code to enable this - we've already implemented the core protocol into Magento 2, but since we're not Magento experts, we'd ideally like to see Magento include/adapt it into their core product. 

 

Let me know how we can help further.  Thanks.

6 Comments
MagenX
Super Contributor

yes, there are lots of 2FA plugins already for magento 2.

they must add it to configuration options.

 

but as you can see this is only good for admin , not for frontend customers.

 

------------
MagenX - Magento and Server optimization
arshadnoor
Regular Visitor

I had not intended to mention this earlier, in case it is perceived as self-promotion, but at Noon EST today (November 14, 2017), we are demonstrating the use of FIDO for end-users in a Magento 2 purchase-flow, as part of a project with the US NIST National Cybersecurity Center of Excellence to enable Multi-factor Authentication for e-Commerce. The webinar is free to attend and you can register here.

arshadnoor
Regular Visitor

You can test FIDO inside Magento by navigating to our Magento Demo, registering a test account with a FIDO Security Key and waking through a few purchasing transactions.  Please note that the demo is a proof-of-concept and neither uses production-quality code nor incorporates necessary user-key management functions in the UX.  Other requirements are:

  • You must use the Chrome browser - v43 or greater - to use FIDO;
  • You must have a FIDO Certified U2F Authenticator to test the process;
  • You do not need to use a real e-mail address - we do not need it for anything;
  • You do not need to put in a real physical address - we will not be shipping anything;
  • You do not need to put in a credit-card number anywhere - we do not ask for it anywhere;
  • Transactions less than USD25 will not trigger FIDO strong-authentication - this was hard-coded for  testing;
  • Transactions greater than USD25 will trigger FIDO strong-authentication.

I will update this thread with a link to source-code and documentation on the changes we made to Magento 2 for FIDO.  I encourage interested parties to learn how the simple step of FIDO-enabling an e-commerce application has the potential to eliminate fraud while strengthening the relationship between merchants and their customers.

arshadnoor
Regular Visitor
Further update on Magento + FIDO. We have released the source code to the FIDO U2F integration in Magento 2 into the open-source community. You can find it here: https://sourceforge.net/projects/magfido/. Please don't forget to the read the PDF documentation (https://sourceforge.net/projects/magfido/files/StrongAuth-Magento-FIDO-Integration-v1.1.pdf/download) before attempting to integrate it into your site instance. If you have any questions, please post questions on the forum at SourceForge or here. Have fun!
arshadnoor
Regular Visitor

NIST National Cybersecurity Center of Excellence (NCCoE), today announced availability of the DRAFT Special Publication 1800-17: Multifactor Authentication for eCommerce (https://www.nccoe.nist.gov/projects/use-cases/multifactor-authentication-ecommerce). The practice guide uses FIDO U2F with the Magento 2 platform to demonstrate risk-mitigation of e-commerce fraud. Full guide is downloadable, and anyone may submit comments to NIST NCCoE at their site. Enjoy!

chrisevans5188
Occasional Contributor

Hello

 

Please check out Magento 2 Factor Authentication (2FA) extension from miniOrange. This extension adds an extra layer of security to your Magento store by requiring two-factor authentication for admin and customer accounts.

 

Features provided in the extension:-

15+ Authentication Methods ( Google Authenticator, Microsoft Authenticator, Duo Authenticator, OTP over WhatsApp, etc.)
Enforce 2FA registration of User
Enable if your users want to change the 2FA method
Allow specific 2FA methods to configure in inline registration
Role Based 2FA
Backup Codes
Blacklist and whitelist IPs etc. 

 

Please check out this link to know more about the Magento 2FA extension by miniOrange

 

We at miniOrange provide state-of-the-art plugins for Magento with custom modifications to cater to your every need. Please reach out to us at magentosupport@xecurify.com to discuss your requirement in detail and then provide you with this solution accordingly.