Two-Factor Authentication by Duo
Created : 24 October 2021
Last Modified : 24 October 2021
***********************************************************************************
Contents:
A. SUMMARY
B. FILE STRUCTURE
C. INSTALLATION INSTRUCTION
D. HOW IT WORKS
E. CONFIGURATION SETTINGS
F. DATABASE TABLES MODIFIED
G. LANGUAGE SETTINGS CHANGED
H. CHANGE LOGS
I. TROUBLESHOOTING
J. FAQ
K. COPYRIGHT NOTICE
L. TERMS AND CONDITIONS
***********************************************************************************
A. SUMMARY
==========
This module will add extra protection to verify the identity of your VPCart admin access with two-factor authentication before they can access to your VPCart administration.
***********************************************************************************
B. FILE STRUCTURE
===================
Files included in the zip are:
- $$READ_ME_FIRST_duo2fa900.HTML
- admin/duo.wsc
- admin/duo_subs.asp
-
admin/duo2fa_setup.asp
-
admin/duo2fa_setup_config.asp
-
admin/duo2fa_setup_process.asp
-
admin/shopa_cleanup.asp
-
admin/sqlscripts/duo2fa/*
***********************************************************************************
C. INSTALLATION INSTRUCTION
============================
1. You must log in to your VPCart
administration first before uploading the module files.
2.
Upload the below files to your ADMIN folder. If you have renamed your ADMIN folder, then this must be placed in the renamed folder.
- admin/duo.wsc
- admin/duo_subs.asp
-
admin/duo2fa_setup.asp
-
admin/duo2fa_setup_config.asp
-
admin/duo2fa_setup_process.asp
-
admin/shopa_cleanup.asp
-
admin/sqlscripts/duo2fa/*
3. Go to your VPCart administration and execute page below:
http://www.yourdomain.com/<your admin folder>/duo2fa_setup.asp
Note: Replace the below with your VPCart site
{ www.yourdomain.com } : your site domain
{ your admin folder } : your admin folder
Click Install Now button.
4. After installation is completed, you should see message:
The duo2fa initial setup has now been completed.
Please go to modules configuration page for further setup.
Click the "modules configuration page" link.
5. You will need to enter the required fields:
Enable: Please set to Yes to enable this module.
DUO Integration Key: Enter your DUO Integration key (client id).
Please refer to the section "How to get your DUO Integration Key(Client ID), Secret Key (Client Secret) and API Hostname" below.
DUO Secret Key: Enter your DUO Secret key (client secret).
Please refer to the section "How to get your DUO Integration Key(Client ID), Secret Key (Client Secret) and API Hostname" below.
Enter Your Application Key: Enter your own application secret key. Your application secret key is a string that you generate by yourself and keep secret from Duo (a value distinct from the secret key provided by Duo). It should be at least 40 characters long.
DUO API hostname: Enter your DUP API hostname eg. api-XXXXXXXX.duosecurity.com
Please refer to the section "How to get your DUO Integration Key(Client ID), Secret Key (Client Secret) and API Hostname" below.
Then Click SAVE button.
++++++++++++++++++++++++++++++++++++++++++++++
For step no. 5 above, you must register account with DUO if you don't have account yet.
REGISTER ACCOUNT WITH DUO:
a. Go to https://signup.duo.com/
b. Enter your First Name, Last Name, Email, Phone number etc.. and continue with the sign up.
c. You will be asked to check your email to complete your registration.
Please go to your inbox of the registered email, open the email from Duo and click the Verify Your Email button.
d. You will be verified and asked to create new password and confirm the new password.
e. After new password entered, click Continue.
f. You will be asked to download the Duo Mobile app and scan the barcode. You can click to skip for now.
g. Next, you will be asked to verify your phone. Click Text Me button. You should get the sms for the passcode.
h. Please enter the passcode you get from the sms and enter to the passcode field. Click Continue.
i. You are done. You can click Continue button to access the Duo administration.++++++++++++++++++++++++++++++++++++++++++++++
How to get your DUO Integration Key(Client ID), Secret Key (Client Secret) and API Hostname
a. Go to https://admin.duosecurity.com
b. Enter your registered email address and click Continue button.
c. Enter your password and click Log In button.
d. You will be asked to confirm your identity. Click Text me.
e. You should get the sms for the passcode. Please enter the passcode and click Submit.
f. After logged in, click Applications menu on left bar.
g. Click Protect an Application button.
h. In the application list, please search for "Web SDK" and click Protect button.
i. You should be presented with the Client ID, Client Secret and API Hostname value.
++++++++++++++++++++++++++++++++++++++++++++++
6. Open your VPCart admin login file located in your VPCart admin folder using notepad or text editor.
Eg if your admin login page is https://www.example.com/admin/myadminlogin.asp
Then please open this file "myadminlogin.asp".
7. Locate this code (around line 275):
SetSess "shopadmin" , replace(request("username"), "'", "''")
8. Please REPLACE with:
SetSess "shopadminduo" , replace(request("username"), "'", "''")
9. Save the file and upload back to your admin folder.
***********************************************************************************
D. HOW IT WORKS
===============
After you have enabled this module, when you try to log in to your administration next time, you should have an extra verification at the login process.
First, you just log in like usual using your VPCart admin user, password and second password.
Next, after you have entered the correct VPCart admin login details, you will be presented with screen to set up the Duo.
Click Start Setup button as shown below:
Then you can select the type of device you are using. We recommend you to use Mobile Phone and click Continue.
On the next screen, you will be asked to enter your mobile phone number. Please select your country area and enter your mobile number and click Continue button.
You will be asked to verify the ownership of the mobile number. Click Text Me button.
You should get the sms and please enter the 6-digit code and click Verify button.
Then click Continue button as shown below:
Next, you can click Continue to Login as shown below:
Please take note the steps above only needed to set up ONCE for the first time.
After that, everytime you try to log in to VPCart administration, you will be asked ONLY the option for the validation whether you will using Push or Pass code. You can select one that suit your liking.
NOTE: If you want to use PUSH notification, You will need to have Duo Mobile application installed on your smartphone.
It is available for iPhones and Androids
If you click to use "Send me a Push", you will see the push notification in your mobile phone as shown below:
With this information, you can know the location of the admin user and the time, you can choose to approve if that is yourself or valid admin user or click Deny if you feel it is a suspicious access to your VPCart administration.
If you choose approve, the user can continue to the admin dashboard.
If you choose deny, the user will not able to access the administration.
***********************************************************************************
E. CONFIGURATION SETTINGS
=================
- xduo2fa
- xduo2fa_integration_key
- xduo2fa_secret_key
- xduo2fa_app_key
- xduo2fa_api_hostname
F. DATABASE TABLES MODIFIED
===========================
NONE
G. LANGUAGE SETTINGS CHANGED
============================
NONE
H. CHANGE LOGS
============================
2021.10.24 - Available for VPCART 9
***********************************************************************************
I. TROUBLESHOOTING
============================
Please submit a ticket to our helpdesk at https://helpdesk.vpcart.com and our support team will assist you.
***********************************************************************************
J. FAQ
============================
NONE
***********************************************************************************
K. COPYRIGHT NOTICE
============================
Copyright (c) 1999-2021 Rocksalt International Pty. Ltd.
All rights reserved.
This software and documentation constitute a published work and
contains valuable trade secrets and proprietary information
belonging to Rocksalt International Pty. Ltd. .
None of the foregoing material may be copied,
duplicated or disclosed without the express written permission
of Rocksalt International Pty. Ltd. .
LICENSEE ACCEPTS VP-ASP Shopping Cart "AS IS" "WITH ALL FAULTS",
Rocksalt International Pty. Ltd. accepts no responsibility for the
operation or performance of the VP-ASP Shopping Cart.
The entire risk of use and consequences of use of the
VP-ASP Shopping Cart falls completely on the Licensee
and Rocksalt International Pty. Ltd. shall not be liable in any respect
for any claims, loss or injury alleged to have resulted
from use of or in reliance on VP-ASP Shopping Cart.
Licensee acknowledges that it has read the foregoing
disclaimers of warranty and limitation of liability
and understands that Licensee assumes
the entire risk of using VP-ASP Shopping Cart.
***********************************************************************************
L. TERMS AND CONDITIONS
============================
ROCKSALT INTERNATIONAL GRANTS TO THE LICENSEE A NON-EXCLUSIVE,
NON-SUB LICENSABLE, NONTRANSFERABLE LICENSE
TO INSTALL AND USE THIS APPLICATION ON A SINGLE DOMAIN FOR
A SINGLE SHOP.
THE CODE IN THE APPLICATION MAY BE MODIFIED FOR USE IN
SETTING UP A SINGLE SHOPPING SITE ON THE WORLD WIDE WEB.
LICENSEE MAY MAKE A COPY OF THE APPLICATION FOR
BACK-UP AND ARCHIVAL PURPOSES, PROVIDED THAT ANY COPY
MUST CONTAIN ALL PROPRIETARY NOTICES INCLUDED
WITH THE APPLICATION.
LICENSEE IS PROHIBITED FROM SELLING OR DISTRIBUTING
THE APPLICATION IN ANY MANNER.
LIMITATION OF LIABILITY.
ROCKSALT INTERNATIONAL AND ITS LICENSORS SHALL
NOT BE LIABLE FOR ANY DAMAGES SUFFERED BY LICENSEE OR ANY
THIRD PARTY AS A RESULT OF USING OR DISTRIBUTING THIS
APPLICATION.
IN NO EVENT WILL ROCKSALT INTERNATIONAL OR ITS LICENSORS
BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA,
OR FOR DIRECT, INDIRECT, SPECIAL,
CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES,
HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LI
ARISING OUT OF THE USE OF OR INABILITY TO USE THE SOFTWARE,
EVEN IF ROCKSALT INTERNATIONAL HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.