On 09/10/13 13:41, Sindre Smistad wrote:
> OpenCart also has a Google Authenticator plugin. The Google
> Authenticator is available for Android, Blackberry, and iOS. This will
> make the admin login like the login at your bank, where you have to
> enter a few numbers either sent on sms message, or generated by some
> small device. Unless there is a critical flaw in OpenCart people will
> not be able to login to admin without access to your phone as well.
I can see one scenario where this would be very useful: when you've got
registered users who have paid for access to content and you don't want
them "lending" their login details to other people.
There's a lesser one, which is to reassure a particularly paranoid
client that you have provided them with a secure system.
Having said that...
I have two locks on my front door but I only use one on a daily basis.
Anybody trying to break in will go round to the back where they will be
less obvious. Using the second front door lock would be a waste
of my time.
Similarly, for *most* (e-commerce) sites this is IMO a solution to a
problem that doesn't exist, and a waste of time.
The banks have a different threat model - thousands of users, some of
whom *are* naive enough to follow and use phishing links. That's why
they have to go beyond simple username / password pairs.
Security is a process as Bruce Schneier likes to point out:
It's also an endless money pit if you let it be one. So the important
thing is identifying where the risks lie and directing your limited
resources there. In most cases I would say that further securing the
admin interface is going to be some way down the list.