2FA for Admin access

Hey Tim & fellow litecarters!

Two-factor authentication is being implemented almost everywhere these days. Was wondering, are you planning to add it to the upcoming release – mostly for admin access, but customer-side implementation might be also a great idea.

If there are no plans to implement it in the near future, what do you guys use for extra security on the admin access side of things?

Thank you!

Maybe the /admin/ folder could at least be behind .htpasswd if it's not already?

PS. Demo version at https://demo.litecart.net/admin/ is broken.

Maybe the /admin/ folder could at least be behind .htpasswd if it's not already?

Well, it's not 'admin' in my case and admin username is not 'root' or 'admin' either, also the password is complicated non-phrase combination for a start. Adding additional layer of protection would be different KIND of protection. In the end of the day, passwords are hackable - either by interfering the traffic, or by hijacking the router, even though I have hardcore firewall, but then again I might access the admin panel in a public space using cell tower which is infiltrated by bad actor.

I was looking more into adding admin panel to the tailscale subnet, to make it literally unaccessable outside of vpn-configuration, but I find it hard to implement using the same domain. So going back to to the my main point – 2FA would resolve it rather quickly.

It's on my wishlist. Pull requests are welcome.

Edit: Implemented for 3.0 using 2FA over email. Configurable per account.

Edit: Implemented for 3.0 using 2FA over email. Configurable per account

Tim, honestly, this is phenomenal news! Thank you so much for that. Looking forward to 3.0 release now! Should we anticipate 2FA app integration, like Google Authenticator or such?

If it's possible without dependency libraries I can look into it. Otherwise email will be what comes with the core.

When I was looking into it, https://medium.com/techvraksh/setup-2fa-using-totp-in-your-app-347e8ff7ad4d I ran into this page, which covers installing TOTP on your own custom domain/app.
It does include two dependency libraries, but both are open-source.
Load-wise it should be lighter to implement TOTP, rather than email generation, but I don't know what's your implementation strategy looks like.
Thank you once again.

I, too, would like to see TOTP support. Using an authenticator app is pretty slick, and it's also faster than email. Emails can take up to a minute (and possibly longer) to arrive but TOTP is instantaneous.