Two-Factor Authentication
Two-factor authentication (2FA) protects your customers’ storefront logins with an additional one-time code delivered by email.
Background
A stolen password alone is not enough to sign in to a customer account once 2FA is enabled. At login, the customer must enter a 6-digit code from the most recent email in addition to their password (Fig.: Storefront login with two-factor authentication).
Fig.: Storefront login with two-factor authentication
How it works
After the customer enters their username and password successfully, the shop sends a 6-digit code to the customer’s email address. The customer enters this code on the OTP page to complete the login.
Protection mechanisms:
The code is valid for 5 minutes.
Up to 5 attempts are allowed per code. After the fifth failed attempt the customer must restart the login.
There is a 60-second waiting period between two code dispatches.
Scope
The 2FA protection currently applies only to storefront logins (customer accounts in the storefront).
Not covered:
Logins in the admin backend.
OXAPI logins. Accounts with 2FA enabled cannot currently authenticate via OXAPI. Such accounts must keep 2FA disabled to continue using OXAPI.
Default behavior
After installation or update of the module, 2FA is disabled by default — both shop-wide and for every individual customer. Existing customers face no extra login hurdles.
As the shop admin you only enable the feature shop-wide (Enable Two-Factor Authentication shop-wide). Once you do, the 2FA option becomes visible in the customer account, and each customer decides for themselves whether to use 2FA for their account (Activation by the customer).
A 2FA code is requested at the next login of a given customer only after that customer has activated 2FA in their own account.
Enable Two-Factor Authentication shop-wide
Prerequisites
You have the OXID Security Module installed and activated (see Installation).
Procedure
Under , choose the OXID Security Module.
Choose the Settings tab.
Go to Two Factor Authentication.
Fig.: Enable Two-Factor Authentication shop-wide
Choose the Enable Two Factor Authentication checkbox.
Save your settings.
Result
2FA is enabled shop-wide. Your customers can now switch on the feature themselves in their customer account.
Activation by the customer
Once 2FA is enabled shop-wide, every customer can switch 2FA on or off for their own account.
Procedure
The customer signs in to the storefront and opens their customer account.
In the Security section the customer chooses the Enable two-factor authentication option.
The customer saves the setting (Fig.: Customer account security with two-factor authentication enabled).
Fig.: Customer account security with two-factor authentication enabled
Result
At the next login of this customer, a 2FA code is requested by email in addition to the username and password.
After too many failed attempts
Up to 5 attempts are allowed per 2FA code. After the fifth failed attempt the OTP flow is locked: the input field for the verification code, the submit button, and the resend button are all hidden (Fig.: 2FA login locked after 5 failed attempts).
Fig.: 2FA login locked after 5 failed attempts
Instead, a Log in again button appears. Clicking it discards the locked OTP flow and sends the customer back to the login page. From there they can start a new login attempt with username and password, which triggers a fresh 2FA code to their email address.
Notes
Login problems if the email is lost. 2FA relies on the customer’s stored email address. If a customer no longer has access to their email, the “forgot password” function does not help either — both paths use the same email address.
Stay-logged-in with 2FA. When a customer enables 2FA, any existing “stay logged in” cookie is discarded. At the next visit the customer must sign in normally and then enter the 2FA code.