With all the data-breaches and insecurity on the internet, it would be helpful if Magento enabled FIDO strong-authentication as a standard feature to protect user accounts from getting hacked. Savvy users can then choose to protect themselves with a FIDO Authenticator instead of just userid/passwords.
FIDO is an industry-standard security protocol for web-applications, currently enabled on sites like Google, Facebook, SFDC and many other sites. It will soon be standardized by the W3C for WebAuthentication. But, by having Magento include it as a standard feature, it will enable one of the strongest authentication protocols on the market for Magento sites and their customers.
We will be happy to provide some source-code to enable this - we've already implemented the core protocol into Magento 2, but since we're not Magento experts, we'd ideally like to see Magento include/adapt it into their core product.
Let me know how we can help further. Thanks.
yes, there are lots of 2FA plugins already for magento 2.
they must add it to configuration options.
but as you can see this is only good for admin , not for frontend customers.
I had not intended to mention this earlier, in case it is perceived as self-promotion, but at Noon EST today (November 14, 2017), we are demonstrating the use of FIDO for end-users in a Magento 2 purchase-flow, as part of a project with the US NIST National Cybersecurity Center of Excellence to enable Multi-factor Authentication for e-Commerce. The webinar is free to attend and you can register here.
You can test FIDO inside Magento by navigating to our Magento Demo, registering a test account with a FIDO Security Key and waking through a few purchasing transactions. Please note that the demo is a proof-of-concept and neither uses production-quality code nor incorporates necessary user-key management functions in the UX. Other requirements are:
I will update this thread with a link to source-code and documentation on the changes we made to Magento 2 for FIDO. I encourage interested parties to learn how the simple step of FIDO-enabling an e-commerce application has the potential to eliminate fraud while strengthening the relationship between merchants and their customers.
NIST National Cybersecurity Center of Excellence (NCCoE), today announced availability of the DRAFT Special Publication 1800-17: Multifactor Authentication for eCommerce (https://www.nccoe.nist.gov/projects/use-cases/multifactor-authentication-ecommerce). The practice guide uses FIDO U2F with the Magento 2 platform to demonstrate risk-mitigation of e-commerce fraud. Full guide is downloadable, and anyone may submit comments to NIST NCCoE at their site. Enjoy!
Please check out Magento 2 Factor Authentication (2FA) extension from miniOrange. This extension adds an extra layer of security to your Magento store by requiring two-factor authentication for admin and customer accounts.
Features provided in the extension:-
15+ Authentication Methods ( Google Authenticator, Microsoft Authenticator, Duo Authenticator, OTP over WhatsApp, etc.)
Enforce 2FA registration of User
Enable if your users want to change the 2FA method
Allow specific 2FA methods to configure in inline registration
Role Based 2FA
Blacklist and whitelist IPs etc.
Please check out this link to know more about the Magento 2FA extension by miniOrange
We at miniOrange provide state-of-the-art plugins for Magento with custom modifications to cater to your every need. Please reach out to us at firstname.lastname@example.org to discuss your requirement in detail and then provide you with this solution accordingly.