X-Cart:Two Factor Authentication
- 1 Overview
- 2 Quick Start
- 3 System requirements and installation
- 4 Enabling the Two-Factor Authentication module
- 5 Configuring the Two-Factor Authentication module
What X-Cart's Two-Factor Authentication module does
X-Cart's Two-Factor Authentication module allows you to add two-factor authentication to your X-Cart store's website and make it available to some or all types of your store's users (administrators / providers / customers). The two-factor authentication service is provided by Authy.com.
How it works
Basically, two-factor authentication requires that the user trying to log in has not one but two pieces of privileged information: something the user knows (like the user's regular password for access to the store site) and something the user has in their pocket (some sort of security token). In the case of Authy's authentication system, the security token used as an extra means of identification is the user's mobile phone.
With the Two-Factor Authentication module enabled, the log-in process for X-Cart store users is as follows:
- A user wishing to log in to the store clicks the Sign In link. The store's regular authentication form opens.
- The user enters his or her account credentials (login and password). Provided that the credentials entered by the user are accepted by the store, the user is presented with a form for entering their security token. For customer users the form is displayed in a popup, for administrators and providers - on a separate page.
- If the user has a smartphone device with Authy application installed, they open the application on their phone to obtain the Authy token. A new token is generated every 20 seconds while the application is running. If the user does not have a smartphone with the Authy mobile app installed, after submitting the login and password they simply receive their security token in a text message (SMS).
- The user types the token from the Authy app/SMS into the provided form and submits it. The store sends the token to Authy API. Authy tells the store whether the token is correct.
- If the token is correct, the user is securely logged in.
- Improves account security
Even if the username and password are stolen by means of some spyware, the hacker will not be able to take over the user's account, as he will also need a token to log in.
- Does not store account credentials
Even if the Authy server is compromised, the hacker will not get any usernames or passwords, as they are NOT stored by Authy.
- Supports all cell phones
Free Authy apps are available for iPhone, Android and Blackberry. For other types of cell phones the security tokens are sent via text messages. Optionally, admin can enable forced sending of tokens via SMS, regardless of whether the Authy application is installed on the user's phone or not.
- Free plan available
Using the service requires an account with Authy. Authy offers several subscription plans, from free (1,000 Users, 500 Auths / mo) to enterprise.
To enable Authy's two-factor authentication service at your X-Cart store, follow these steps:
- Sign up for Authy's service at Authy.com.
- If you are going to use a smartphone for authentication, download from the Authy site and install on your phone device the application that will be used to generate security tokens for log-in (To download the app, point the browser on your phone device to www.authy.com/install). Run the application on your phone and complete the steps required to register your phone in Authy's system.Note: Using Authy's downloadable app is completely optional; if you prefer security tokens sent via SMS, you do not have to install anything on your phone - simply skip this step and proceed to Step 3.
- Activate your Authy account by signing in. Note that to sign in you will be required to enter a security token from your phone. You can enter a token generated by the Authy app on your phone device or request the token to be sent to your cellphone via text-message. After signing in to your Authy account you'll find your API keys for sandbox (use it for testing) and production. Keep these keys private.
- Install the Two-Factor Authentication module in X-Cart (See System requirements and installation).
- Enable the module in X-Cart's back end and enter your Authy API key in its settings (See Enabling the Two-Factor Authentication module and Configuring the Two-Factor Authentication module).
- Specify your phone number and country in your profile. Be sure to enter the phone number using the international format: + (plus sign) then country code, then space or dash, then phone number.
That is all. Now if you log out and try to log in to the store again, you will notice an extra step added to the authentication process on your site: after entering your regular site login and password you will be required to enter a security token from your mobile phone.
System requirements and installation
To be able to successfully install and use the Two-Factor Authentication module, you need a working copy of X-Cart version 4.1.x or later installed on your server. Make sure that the version of the module is the same as the version of the installed copy of X-Cart.
To install X-Cart's Two-Factor Authentication module:
- Obtain a distribution package for X-Cart's Two-Factor Authentication module by downloading it from the File Area section of your X-Cart Account. The distribution package you need is contained in the archive file two-factor-auth-x.y.z.tgz where x, y and z are the version numbers of the module. Make sure the version of the module is the same as the version of the installed X-Cart.
- Copy the distribution package to the X-Cart root directory on your server or hosting account.
- If you are using a Windows-based server, or a UNIX-based server without terminal access:
- a) Decompress the archive with the module distribution package to a directory on your system using your favorite compression program (WinZIP or any other archiver with support for TAR files).
- b) Use an FTP client to upload all the files contained in the archive (retaining the directory structure) to the X-Cart root directory on your server or your hosting account.
- If you are using a UNIX-based server with terminal access:
- a) Use an FTP client to upload the archive with the distribution package to the X-Cart root directory on your server or your hosting account.
- b) Decompress the package using the following command:
tar -xzvf two-factor-auth-x.y.z.tgz
- Important: Make sure you keep the directory structure while unpacking and uploading the distribution package, otherwise some necessary files can be overwritten!
- In a web browser, run the installation script httр://<YOUR_XCART_DOMAIN>/install-two-factor-auth.php replacing <YOUR_XCART_DOMAIN> with the actual domain name of your X-Cart store.
- Enter the Auth code, accept the License Agreement and click Next.
- The installation script patches any files that need to be patched and activates the module. Click Next to continue the installation.Note: If you are using a custom skin, you will need to patch it manually. Otherwise, the module will not work in this skin.
- The installation script generates a new system fingerprint. Click Next to complete the installation.
- Use the ADMINISTRATOR AREA link to log in to the Admin area.
Enabling the Two-Factor Authentication module
After the Two-Factor Authentication module installation has been completed, the module you have installed needs to be enabled in your store:
- In Admin area, go to the Modules section (Settings menu->Modules).
- Locate the entry for 'Two-Factor Authentication' module.Note: In X-Cart versions 4.6 and later, the Two-Factor Authentication module would be found on the 'Built-in and installed modules' tab under the 'Security' tag.
- X-Cart versions 4.6 and later: Select the Enable check box to the left of the module name.
X-Cart versions prior to 4.6: Select the check box to the left of the module name and click the Apply changes button.
The module will be activated.
Configuring the Two-Factor Authentication module
After the Two-Factor Authentication module has been enabled in your store, you should check and adjust its configuration:
- In the Modules section (Settings menu->Modules), click the Configure link opposite the module name ('Two-Factor Authentication').
The module configuration page (titled by the name of the module) opens.
- Adjust the settings on the module configuration page. Detailed information regarding the Two-Factor Authentication module configuration settings is available below.
- Click the Apply changes button to save the changes.
Two-Factor Authentication module configuration settings
Here is an explanation of the Two-Factor Authentication module configuration settings:
- Authy API key: Your Authy API key. This can be found in your authy.com dashboard after registering and activating your account.
The following three options:
- Enable two-factor authentication for administrators
- Enable two-factor authentication for providers
- Enable two-factor authentication for customers
are used to specify the types of users to which two-factor authentication should be available in your store.
- Force send SMS to smartphone app users: Normally the service does not send text messages containing secure tokens to the users whose phones are registered with Authy as using the downloadable application. However, if you still want the tokens to be sent to such users via text messages, enable this option.