The Two Factor Authentication add-on strengthens the security of your X-Cart's user accounts by integrating your store with Authy (Authy.com). The result is a two-factor authentication system that you can enable for any X-Cart user account (admin/customer/vendor).
The Two Factor Authentication add-on levels up the store user account protection. It requests a user trying to log in with the regular username and password to confirm their identity by providing a one-time code sent to their phone via SMS. The generation and sending of the SMS code are performed via the Authy service. This method of user authentication is very secure: even if the Authy server is compromised, the hacker will not have the usernames and passwords needed for account access as these sensitive details are NOT stored on the Authy end.
To start using the add-on, make sure it is installed and enabled.
To use the add-on, you must have an account with Authy. You can get one here.
After enabling the add-on, proceed to the add-on settings page to configure it.
You will need to adjust the following parameters:
API key: Specify the API key from your Authy.com account. If you do not have an account yet, follow the steps below to create an Authy API Key:
Create a Twilio account here
Create an Authy application in the Twilio Console.
Once you have created a new Authy application, copy the API Key for Production available on the Settings page of your Authy application. See the image below for reference:
Production mode: Enable this setting if you do not need to test the integration and are ready to use the add-on in production mode.
Use two-factor authentication for the customer interface: Enable this setting if you need the two-factor authentication option to be available to customer accounts.
Use two-factor authentication for the administrator interface: Enable this setting if you need the two-factor authentication option to be available to admin and vendor accounts.
Once configured, the add-on extends the regular user profile with the Country phone code and Phone number fields.
The values for these fields need to be specified by the user at the time of account creation.
Alternatively, the store admin can specify the values in the respective user profile (Users -> User List -> User Profile). Also, the store admin can enable the "Require to change password on next login" option for a user profile, so the user is forced to renew their account password and specify the phone to enable the two-factor authentication for their account.
Related pages: