Improved Admin security User Manual

CONTENTS

1. Description

2. Installation

3. General configurable options

4. Admin interfaces

5. Use Cases

6. Support

Description

Improved admin security 2.0 extension is the easiest way to prevent the access to your store data from unwanted users. The extension offers you to use two-factor authentication based on the Google Authenticator application. Verification security code except username and password will be required every admin login attempt. In case the attackers get your admin username and password, they will not be able to access your store admin unless they have a security code provided by Google Authenticator. Important that the unique code expires in a short amount of time for security purposes.

Improved admin security 2.0 extension consists of 2 tightly integrated modules:

  • Two Factor Authentication protects your Magento admin login area.The module is based on usage of verification key.
  • Admin Watcher enables to check the parameters of successful and failed attempts to access store backend.

Installation

Thank you for downloading our magento extension. Please follow these instructions to proceed with the installation of your theme:

Turn store compilation off

Navigate to Admin - >  Tools - >  Compilation and deactivate compilation mode for your store.

Copy all files into your magento directory

Simply copy all files from "extension source x.x.x" directory into your magento store directory.

In case you have different then "default" default folder - rename folders app/design/frontend/default/default and skin/frontend/default/default.

Turn your magento cache off

Navigate to Admin - >  System - >  Manage Cache and deactivate cache for your store.

Refresh your admin user access rights

Simply logout from your store admin and then login back.

Next steps
    Before extension installation, please check if your mobile device is compatible with Google Authenticator mobile application. Our Google Authenticator extension is compatible with every iOs device such as iPhone, iPad or iPod touch, Android device or BlackBerry device. In order to do that please complete next step:         
  • For Android devices please open the Google Play and search for Google Authenticator application.
  • For iOs devices please visit the Apple app store and search for Google Authenticator application.
  • For BlackBerry devices please visit http://m.google.com/authenticator on your BlackBerry.

 

  1. Copy all files into your magento directory and turn Magento cache off.
  2. Open your admin user account settings at Admin  >  System  >  Permissions  >  Users  >  Your User  >  Tab "Two Factor Authentication".
  3. Scan QR code with Google Authenticator application using your smartphone.
  4. Insert into verification key field key you got on your mobile device.
  5. That's all. You just enabled protection for that admin user. Try logout and login with verification key. Please notice that key is updated every 30 seconds. Please also notice that if you have not enabled protection for some users then verification key will be ignored for those users.
Uninstall/Disable

In case you lost your smartphone or don't have access to it, you can disable extension via ftp:

  1. Please copy TM_TwoFactorAuthentication_Disable from app/code/local/TM/TwoFactorAuthentication/scripts/ to your store root directory.
  2. Rename it to TM_TwoFactorAuthentication_Disable.php.
  3. Open url http://[base store url]/TM_TwoFactorAuthentication_Disable.php
  4. Remove file TM_TwoFactorAuthentication_Disable.php in your store folder
  5. Now your can login to your store and reset or disable extension.
  6. Also protection can be disabled by renaming app/etc/modules/TM_TwoFactorAuthentication.xml to TM_TwoFactorAuthentication.xml.off. In such case extension simply will not be loaded.

Configuration

General configurable options:
Two Factor Authentication

To set the configuration of the extension , go to Magento Admin > System > Configuration > Templates-Master > Two Factor Authentication.

To enable this module, please select Yes in Enable field.

Then you need to go to Admin > System > Permissions > Users. Click on Add New User in the upper right corner of the page and select Two Factor Authentication at User Information tab.

Two Factor Authentication with QR code
  • Is active - please select Yes to make the module active.
  • Label - is used to identify which account a key is associated with.
  • Verification Key - is a six-digit number generated on your mobile phone after you scanned your QR code.
Admin Watcher

To set the configuration of Admin Watcher module, go Magento Admin > System > Configuration > Templates-Master > Admin Watcher.

NB: before configuring the settings, please be sure the time on your server is equal to smartphone time on.

  • Enable - enable or disable the Admin Watcher module
  • Auto clear log action after x day - please enter the time span for which data will be stored
  • Allowed IP(s) (comma separated) - set IPs addresses that are allowed to access admin interface

NB: you can enter multiple comma-separated

  • Permitte only allowed IP - please select Yes or No for access rights for allowed IPs. If you select No, the notification email will be sent for non allowed IP addresses
  • Disallowed IPs (comma separated) - shows IP adressed that are not allowed to access admin interface
  • Send admin notification to - please enter the email address for notification about unauthorized attempts to the access
  • Sender - please select the Sender that will be used in admin activity notification email from drop-down list
  • Email Template - please select the email template of notification from drop-down list

Admin interfaces

Improved Admin security 2.0 extension provides easy to use admin interface which allows you to see and track the time, data and IP address of unauthorized attempts to the access.

The module includes the Log Attempts and the Action Log interfaces. To start setting them, please go Admin > Templates-Master > Admin Watcher.

Login Attempts

If you select the Login Attempts, you will be allowed to see who tried to login the store admin without authorization, his IP address and the date when he did it. Additionally the reason of failed attempt to the access will be displayed.

Action Log

If you select the Action Log, you will be able to check the changes that were done by all users.

For more information please click Changes link at Actions column. Now you can see the old and new values.

The display of new changes

Use Cases

How to get notification when somebody is accessing store backend from other IP address

To set recipient of a notification, go Admin > System > Configuration > Templates-Master > Admin Watcher. Please set the following:

  • at Send admin notification to field - enter the email address of person who should get notification
  • at Sender - select the Sender of notification
  • at Email Template - select the email template of notification

After that please set the list of allowed IP addressed at Admin > System > Configuration > Templates-Master > Admin Watcher Allowed IP.

How can I check details of recent changes in store configuration

To find out the recent changes in store configuration, please make sure, that the module Admin Watcher is enabled. In order to check it, go Admin  >  System  >  Configuration > Templates-Master > Admin Watcher. At Enable field select Yes.

Then go Admin > Templates-Master > Admin Watcher > Action Log and at Actions column you will see the details of recent changes in store configuration.

Support

Template Master team is always ready to assist you with any issue related to our products.

We do offer:

  1. Free commercial products installation services
  2. Free updates within offered support period
  3. 3 months of free guaranteed support

Our duties:

  1. Responsibility for resolving products bugs.
  2. Help with technical queries.
  3. Support of popular web browsers (Firefox, Chrome, Safari, Internet Explorer 7+).
  4. Technical support in installation and usage of our products.

Troubleshooting:

You can follow the product questions and read frequently asked questions from users.

If you have any problems with extension installation, please contact us at helpdesk

Common questions and ideas

Come up with new ideas!

There are no product questions yet.

Ask Your Question

* Required Fields

Back to top