On 09/10/13 13:41, Sindre Smistad wrote:
OpenCart also has a Google Authenticator plugin. The
Google
Authenticator is available for Android, Blackberry, and iOS. This will
make the admin login like the login at your bank, where you have to
enter a few numbers either sent on sms message, or generated by some
small device. Unless there is a critical flaw in OpenCart people will
not be able to login to admin without access to your phone as well.
I can see one scenario where this would be very useful: when you've got
registered users who have paid for access to content and you don't want
them "lending" their login details to other people.
There's a lesser one, which is to reassure a particularly paranoid
client that you have provided them with a secure system.
Having said that...
I have two locks on my front door but I only use one on a daily basis.
Anybody trying to break in will go round to the back where they will be
less obvious. Using the second front door lock would be a waste
of my time.
Similarly, for *most* (e-commerce) sites this is IMO a solution to a
problem that doesn't exist, and a waste of time.
The banks have a different threat model - thousands of users, some of
whom *are* naive enough to follow and use phishing links. That's why
they have to go beyond simple username / password pairs.
Security is a process as Bruce Schneier likes to point out:
https://www.schneier.com/essay-062.html
It's also an endless money pit if you let it be one. So the important
thing is identifying where the risks lie and directing your limited
resources there. In most cases I would say that further securing the
admin interface is going to be some way down the list.