I tried to negotiate decent pricing with them about that and I wasn't successful, so yeah it would be neat, but it's not likely to happen...

Rick Wilson thanks for trying. I've got some store owners that I'm working on convincing to move to it. They have staff that are not tech-savvy (some don't even have cell phones). They found it easier to use the browser authentication (even though being advised against it). I have been explaining how easy it is to use a YubiKey.

What is the 'browser authentication'? If they're using two factor authentication, they'd either need an app on a phone or TOTP service provider (such as Authy), or a hardware token to do YubiOTP (Yubi-specific hardware), or WebAuthn (any provider's webauthn-capable device).

Okay, maybe the wrong terminology - a browser-based plugin (one of the original methods that seem to recall being outlined when this first was instituted) or maybe it was a desktop app. But either way, there are store owners that needs something that doesn't require the use of a cell phone. It looks like Authy has a desktop app would that be a viable alternative?

If they're using a browser-based plugin to store TOTP keys, and generate codes, that is not secure so I'd definitely recommend moving away from that; that includes Authy's own Chrome plugin. You really don't want the second factor to be stored in the same browser that could potentially be compromised. Authy is free, however, I'm not sure how their own authentication works to access your stored TOTP keys; it may require a text, which users who have no cell phone would not be able to receive.

The Yubi "Security Key" product line would work fine, those are $20/ea, or even less in two and ten packs. $18 per user one time is really nothing compared to the costs (reputation, liability, legal) of dealing with a compromise.

I understand that and that's why I'm trying to convince some of the "older" users to look into it.

What I don't get is only Admin's need to be 2FA and if someone has regular employees who don't even own cell phones, it would seem odd that they'd also be the Admin?

I have somewhat of an answer for you on this Rick.

I have a client that wanted their fulfillment house and it's employees to up be able to update inventory on a daily basis using "Data Management" because of a spreadsheet import process. But, they didn't want them to have admin user access because of the hassle of assigning 2FA with limited access. There were difficulties using 2FA in their own office too. It was really a non--starter. And, Product/Inventory import needed admin -- as of about 4 months ago anyway. The resolution, as I develop it, is for them to have me build a JSON API solution. I am happy to do that of course. But, while it may not be a perfect use case, it's a simple use case explaining a more simple or less involved 2FA.

One other solution would have been to update inventory in batch edit mode manually where the user wouldn't have needed admin level, but the goal was also as much automation as possible. And, it would have taken some training for the employees to learn how to use Batch Edit. It would have cost money because I would have been doing that training. Besides, the JSON API solution is a better solution regardless. I doubt anyone would argue that despite the minimal cost to develop it.

My last thought on this, the bigger the operation the less of an issue this might be because of resources. The smaller operations that might tend to outsource IMO will tend to have these balls to juggle because they are running with fewer resources.

Scott

Rick Wilson I had a few days to think about this one - it would be cool if ya'll (Miva) could create a simple flowchart like infographic to help guide Storeowners showing them the various "ifs" and how to configure them. Sort of "Does your employee need to do this? Assign them to these groups. The subject could be something like "Do you really need to give your employee full Administrator access to your store?" Make it a blog post or an email or both. Yes, I know that this page is available https://docs.miva.com/how-to-guides/user-groups but some simple tidbits to help a storeowner with their store might be very beneficial.