2

I want to add 2 step Authentication to an admin back end URL to my clients online Magento shop. I don't want to use a google app authentication or a phone app/sms system. I want a master Username/Password for the first step then my usual admin accounts.

I've been googling for a while but can't find anything except for SMS/App authentication, is there some other way I'm missing?

Improve this question
4
  • 1
    I think OTP is semple and easiest way for authentication but there are a lot of authentication way in magento like amasty.com/magento-two-factor-authentication.html and github.com/magento-hackathon/Magento-Two-factor-Authentication or magentocommerce.com/magento-connect/… etc Commented Feb 23, 2016 at 4:58
  • Is there a way to do this without a Magento addon. Example: when you try to log into your home router/modem you are given a grey box to input credentials before you are allowed on the page. Commented Feb 23, 2016 at 6:01
  • there are a lot of way in php for security you can create your custom magento module Commented Feb 23, 2016 at 6:09
  • Have you got a link to any documentation I can look at? I've tried googling for a while but it keeps leading me to SMS/app authentication or Magento addons :-/ Commented Feb 23, 2016 at 6:21

2 Answers 2

Reset to default
7

It seems you want to add a .htaccess directory protection.

Ad there is no real admin folder, you need to work around this:

SetEnvIfNoCase Request_URI "^/admin/" ADMIN

AuthType Basic
AuthName "Magento Admin"
AuthUserFile /path/to/.htpasswd
Require valid-user

Satisfy any
Order allow,deny
Allow from all
Deny from env=ADMIN

Just add the usernames + passwords in the .htpasswd file and your're good to go.

You may also want to think of a solution like this where only certain IPs are allowed to access your admin URL:

RewriteCond %{REQUEST_URI} ^/admin/(.*)$
RewriteCond %{REMOTE_ADDR} !^111.112.113.114$ #your IP
RewriteRule ^(.*)$ - [F,L]
Improve this answer
1
  • Thankyou Anna, just what I was after! IP and .htpasswd both worked perfectly! Commented Feb 25, 2016 at 0:08
4

it's an old topic but I was looking for something like that and found it

first, thanks Anna for your answer, it helped me

but I see 2 problems:

  1. leading ^ => /admin/ will be protected but /index.php/admin/admin/ won't be
  2. trailing / => /admin/ will be protected but /admin won't be

so I use "/admin" instead (except I don't use "admin", see below)

so yes, frontend URL containing "/admin" will be caught but remember that we are talking of the "admin" token only if you chose to let "admin" as identifier to your admin panel

you should change this identifier and put something harder to find and that you won't get in frontend

and code for Apache 2.4:

SetEnvIfNoCase Request_URI "/[your admin identifier here]" ADMIN
AuthType basic
AuthName "Restricted Access"
AuthUserFile [path to your .htpasswd here]
<RequireAny>
    <RequireAll>
        Require env ADMIN
        Require valid-user
    </RequireAll>
    <RequireAll>
        Require not env ADMIN
        Require all granted
    </RequireAll>
</RequireAny>
Improve this answer
1
  • .htaccess login popup is coming but if i click on Cancel button then still it is logging successfully. what should i do ? Commented Aug 20, 2019 at 8:44

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.