Setting Up Two-Factor Authentication with Time Based One-Time Password (TOTP)
With Miva Merchant version 9.12 all admin users are required to use two-factor authentication when logging in. Two-factor authentication means that a second password or code obtained from a trusted source is needed when logging into the store. In this tutorial we show you how to setup two-factor authentication using a Time Based One-Time Password (TOTP) from Google's smartphone authentication app for IOS and Android and a similar browser plugin for Firefox and Chrome.
Before doing anything you will need to install the Google Authenticator app on your smartphone and the authenticator plug-in in your FireFox or Chrome browser. Browse to one of these URL's to get the plug-ins:
Google Chrome (authenticator.cc): https://chrome.google.com/webstore/search/authenticator?hl=en-US
FireFox (mymindstorm): https://addons.mozilla.org/en-US/firefox/search/?platform=windows&q=authenticator
As we'll show you below, once setup properly, the Google app and the two browser plugins will all generate the same one-time password for your Miva username and you can use whichever is more convenient.
Login as your username, open the main menu, navigate to 'users'and then click on your username. Open the overflow menu and click on Two-Factor Authentication. In this example we're setting up two-factor authentication for the user 'twotest'.
Alternatively if you're a new user you might see this. Click on Edit User
And then this screen. Click on Manage Two-Factor Authentication
Now you're asked to select the method of Two-Factor Authentication for your username. We're going to use the Google Authentication SmartPhone app and the similar plugins for FireFox and Chrome. So click on Time-Based One-Time Password (TOTP).
The next screen provides information on Time-Based One-Time Passwords. After you've read it click on 'Next'.
This is the most important screen of all. It provides the TOTP Key for your username. It is a 16 character code and is unique to your username. Copy and save this key because it will allow you to setup multiple plug-ins and devices that will all generate the same time-based password. If you lose your smartphone or move to a new PC you'll need this 16 character key to re-setup the Google and browser plugin authentication apps. This acreen is waiting for you to enter the authentication code. We'll get that in a moment from the browser plugin..
5. Now copy the 16 character key and put the copy in a safe place. Click on the icon for the browser's authentication plug-in in the top right corner of your FireFox browser. (Note: Chrome is similar)
6. From the authenticator drop down menu select 'Manual Entry'.
7. Click on the '+' plus sign to indicate you are adding an entry to the authenticator.
8. We're setting up authentication for the user 'twotest' on the wpcomp.com Miva store so let's enter an appropriate account name for this user. We'll use twotest-wpcomp.com. Then we'll paste this user's 16 character code/key in the box labelled 'Secret', select 'Time Based' from the drop down menu and click on OK. Note that we may have additional Miva users that need two-factor authentication. Each will have his own 16 character key/code and a separate entry on the authenticator plugin so it's important to have distinct account names.
9. The authenticator plugin now generates a 6 digit code. This is the user twotest's current one-time password.
10. Enter 437615 on the Miva screen, click on 'enabled' and Two-factor Authentication is now enabled. Unfortunately when we prepared this slide the one-time password changed from 437615 to 753063 before we could enter it and take the second screen shot but I think you get the idea. The authenticators (browser plugin and Google smartphone app) generate new passwords every 30 seconds. Internally Miva is doing the same thing and the password you enter must match.
11. Copy the ten backup access tokens and store them in a safe place. If all else fails your can use these tokens to log into the Miva Admin. The users 'twotest' and 'threetest' have been deleted from the Wolfpaw store so don't bother testing these backup access tokens on our website.
13. Two factor authentication is setup for the user 'twotest'. An informational screen with sign in instructions
14. Here's the login screen asking for your One-Time Password
15. Click on the authentication icon in the upper right corner of your browser and you get the six digit code you need.
16. Enter this six digit code in the Miva login screen and continue with the Miva login
17. You can add additional users to the authenticator plugin - just click on the 'edit' pencil and the '+' plus sign and add their account name and 16 character code/key. The authentication plugin will generate one-time passwords unique to their usernames. In this screen we're setting up two-factor authentication for the user 'threetest'.
18. The Google smartphone authenticator app is similar to the browser plugin. It's great when you need to access your Miva store from different locations and from different devices - like your laptop at home or a friend's PC. If you use the same 16 character code/key that you used above and hopefully saved it will generate the exact same one-time passwords as the browser plug-in.
Open the Google app, click on the '+' plus to add a new user. Select manual entry and enter the 16 character key/code that you saved from the Miva two-factor setup screen above. You can scan the QR code with your smartphone's camera but be sure to copy the 16 character code for backup.
19. Enter the 16 character key/code from the Miva screen and an account name for the entry. Use the username and website name. Select 'Time based' as the type of password. Here we're setting up the user 'twotest' on the Google smartphone app. Because we're using twotest's 16 character code/key the Google app will generate the same one-time passwords.
20. The Google app will begin generating six digit code. Note that you can have multiple time-based passwords for different users and websites.