When running an e-commerce store or a blog it is important to think about security. This is important regardless of the platform you are using -Wordpress, Ghost, Magento or Shopify, etc... Two factor authentication (2FA) often comes up as a way to keep you accounts safe. Let's look at some options that accomplish similar things:
First things first. You should really enforce the passwords to be secure. That means Minimum 12 characters in length. Contains the following items:
- Uppercase Letters
- Lowercase Letters
Also make sure to change your passwords frequently and keep them secure. Passwords are leaked very often by simple carelessness and not understanding how the web works.
A more basic approach (pun intended) is to setup basic authentication on your website for access panel. This will ensure that scripts and malicious users are not able to abuse the login and will have to get past the basic auth first.
Setting up Captcha is also a good idea as it will slow down any script kiddies or bots that are trying to brute force the login credentials. Captcha will stop the users from submitting the login form and make sure the attackers don't get far.
Limit login attempts
This works well with the previous point. Instead of making all users fill out catpcha you can first allow couple attempts at logging in. If they reach a limit (let's say 4 failed attempts) on the next one show them Captcha. If they fail a couple more (let's say 10) then block the login entirely.
You should of course think about users that are actually struggling to login and have forgotten their password. A simple time limit restriction (5 logins in 2 minutes) and a 'Forgot password' action will make sure actual people are not locked out permanently.
Two factor authentication is basically a mechanism which makes sure that the person that is trying to access the application is actually the person who owns the account.
A great example is Google Authenticator which implements two-step verification services using the Time-based One-time Password Algorithm and HMAC-based One-time Password algorithm, for authenticating users of mobile applications. So when you are attempting to login you get an additional request on your configured device to accept that you are who you say you are. This is handy as it almost definitively eliminates the possibility of compromising an account.
This wont be possible for everyone. But if you are serious about your business than having an IP restriction will do wonders. Instead of setting up a complicated login architecture you can simply block any requests that are trying to connect to your application outside of known networks.
The main concern here is that you will not be able to access it yourself if you are on the go or not able to connect to your usual network. A solution here is to create your own VPN which allows to access your secure network from outside. Setting this up can be a bit challenging but once you do it will be worth it.
Let us know more ways you like to keep your account secure.