Sentry Two-Factor Authentication Extension Documentation
Sentry Two-Factor Authentication is a free, open source extension for the Magento eCommerce platform. When activated, the extension will require two-factor authentication for all administrative users. This greatly enhances security by protecting against compromised user passwords, which represent the most common type of online security breach.
- Use mobile apps from Google Authenticator (free) or Duo Security (free for 10 users or fewer)
- Available on Android, iOS, Windows Phone, and Blackberry
- Easy installation and administration
- Open source and actively maintained by Human Element Magento Silver Solution Partner and Nexcess.net Magento Platinum Hosting Partner.
- Extensive logging to help fulfill PCI requirements
Sentry Two-Factor Authentication will work with the following versions of Magento:
Magento Community 1.6, 1.7, 1.8, 1.9
Magento Enterprise 1.14, 1.13, 1.12, 1.11
You can download the extension from the Human Element website. Once downloaded, install it on your Magento site with the Direct File Upload option in your system’s Magento Connect Manager. It is recommended to disable the Magento compiler before installation. Should you wish to use modman, a modman configuration file is included.
Attention: If you see a 404 error when trying to access the Sentry administrator control panel, try logging out and then back into your administrator account.
Following installation, any required server-side configuration is performed from the Magento administrator’s control panel by selecting System > Configuration > Sentry > Two-Factor Auth Settings (Figure 1).
Using this panel, you can select either Google Authenticator or Duo Security as your preferred authentication provider or disable two-factor authentication (Figure 2). If you wish to use Duo Security, you must first create a Duo Security account and create a new integration for your Magento website. More information is available on the Duo Security website.
Attention: Due to the system architecture of Magento, the Magento Connect Downloader is not protected by this extension. It is critically important to protect the downloader from unauthorized access as it is a common target for attack. For this reason, we strongly recommend restricting the /downloader directory access to only a few trusted IP addresses. Implementation will vary by web host and it is recommended that you contact your web host’s technical support staff for assistance.
Both authenticator apps require you to install the app on your mobile device. Once your Magento administrator has chosen the authenticator provider, the app will guide you through the setup. The setup process varies according to mobile OS and authenticator provider.
To log in with either app, you must first connect the app to your administrator’s account on the Magento site. Refer to the Adding authenticators section for more information.
Logging in with Google Authenticator
After successfully entering your user name and password, Google Authenticator requires a passcode. You may view the current code by running Google Authenticator on your mobile device and finding the six-digit number provided for your user name. This passcode changes every 30 seconds.
Logging in with Duo Mobile
After successfully entering your user name and password, Duo Mobile will ask you to choose a device with which to authenticate. You may also select one of three options for authentication: push notification, phone call, or passcode. You must use Duo Mobile on your mobile device to complete authentication. For more information about the authentication methods available for Duo Mobile, visit the Duo Security website.
A user’s authenticator connection to the Magento site can be reset so that the user will be forced to reconnect using the method described in the “Adding authenticators” section.
Resetting a Google Authenticator
Use the following procedure to force users to reconnect their Google Authenticator:
- From the Magento administrator’s control panel, select System > Permissions > Users.
- Click on the user account you wish to reset.
- Select the Reset Google Authenticator check box.
- Click Save. The user will be forced to reconnect Google Authenticator upon login.
Resetting a Duo Mobile Authenticator
To disconnect a user’s Duo Mobile authenticator from a Magento site, log in to the Duo Admin Panel and click Devices in the left sidebar. For more information, visit the Duo Security website.
Disabling the Extension
- Use the Magento administrator’s control panel by selecting System > Configuration > Sentry Two-Factor Authentication > Configuration > Provider Selection.
- Change the element in the extension’s xml configuration file to false.
- In the event of a misconfiguration, upload the tfaoff.flag file to the Magento installation root directory on the web server. When the extension detects this file, it will disable the extension, allowing normal access to the Magento administrator control panel. The user name and password will still be required.
If you encounter any problems using this extension, navigate to the Human Element bug report form and give as many details as possible.
Sentry is covered by the GNU General Public License.