Everything you'd want to know before you install.
A detailed look at how 2FA Google Authenticator for PrestaShop works, why we built it the way we did, and the thinking behind the features above.
Why 2FA on PrestaShop
The PrestaShop back office is the number one attack target on your store. A compromised admin password (phishing, leak from another app, dictionary attack) means direct access to your orders, your customers, your source code. 2FA adds a second layer: even with the password, the attacker cannot log in without the phone. The vast majority of documented back-office intrusions would have been prevented by active 2FA.
TOTP standard, no proprietary service
The module follows the RFC 6238 (TOTP) standard — the same one used by Google Authenticator, Authy, 1Password, Microsoft Authenticator, etc. Your employees use the app of their choice, without installing anything specific. If your company already uses 1Password, the 2FA simply joins the existing secrets. No third-party service, no per-user cost, no external dependency: even the pairing QR code is generated locally in the browser.
PrestaShop 8 and 9, one single version
The module is natively compatible with PrestaShop 8.0 to 8.2 and PrestaShop 9, including the new Symfony login page introduced by PS9. 2FA verification plugs into the login flow whatever the version, with no version-specific setup. You can migrate your store from PS8 to PS9 without touching the module or re-pairing employees.
Progressive rollout
2FA can be made mandatory for all employees (forced mode: any employee without 2FA is redirected to pairing at login) or left as individual opt-in, each employee enabling their own 2FA from their user menu. This enables a progressive rollout: start opt-in with the reminder banner, watch adoption, then switch to mandatory mode.
Handling a lost phone
The “I can't log in anymore, I changed phones” scenario is covered at two levels. First safety net: 8 single-use recovery codes, generated at initial pairing. The employee keeps them in a password manager or printed in a safe. Second safety net: a Super Admin can reset an employee's 2FA in one click from the module configuration page. The next login will prompt initial pairing again with a new QR code.
Security and brute-force protection
Each employee's TOTP secret is encrypted with AES-256 in the database — even read-only access to your SQL does not allow regenerating codes. Recovery codes are stored as SHA-256 hashes, never in plain text. After 5 consecutive invalid codes, 2FA verification for the account is locked for 15 minutes, making enumeration of 6-digit codes impractical.
There are no reviews yet.