- Secure TOTP authentication
- Advanced employee profile management
- Backup codes and trusted devices
- Anti brute-force protection
- Is the module compatible with all themes?
- Can I enforce 2FA only for SuperAdmins?
- What happens if an employee loses their phone?
- Are 2FA data securely stored?
- Is the trusted device feature secure?
- Can 2FA be disabled globally?
- Does the module impact performance?
- Is it compliant with security best practices?
- Can audit logs be exported?
- Does uninstalling remove all 2FA data?
Two-Factor Authentication (2FA)
Presentation
The Admin Two-Factor Authentication (2FA) module strengthens your PrestaShop back office security by adding a Time-Based One-Time Password (TOTP) verification layer. Even if an employee password is stolen or compromised, access to the back office remains impossible without the temporary code generated by their authentication app.
Compatible with PrestaShop 8.x and 9.x, this module is designed for merchants who want to protect sensitive data, orders, customers and configuration settings from unauthorized access.
Key benefits:
- TOTP authentication compatible with Google Authenticator, Authy, 1Password and Microsoft Authenticator
- One-time backup recovery codes
- Configurable trusted devices
- Complete 2FA audit log
- Emergency recovery methods (CLI, bypass file, SQL)
Features
Secure TOTP authentication
The module implements a standard TOTP (Time-Based One-Time Password) system used by leading authentication applications. During login, employees must enter a 6-digit code generated by their mobile app. Verification is enforced securely and cannot be bypassed.
Secret keys are encrypted in the database (AES-256-CBC), and backup codes are securely hashed to prevent exposure.
Advanced employee profile management
You can enforce 2FA for specific employee profiles (such as SuperAdmin) and configure a grace period for activation. After the grace period expires, access is blocked until 2FA is properly configured.
A dedicated 2FA dashboard provides an overview of all employees, their 2FA status and recent security events.
Backup codes and trusted devices
Each employee receives 10 one-time backup codes in case their authentication app becomes unavailable. Backup codes can only be used once and can be regenerated when needed.
Trusted devices allow employees to skip 2FA verification on recognized browsers and IP addresses for a configurable number of days. Any change in browser or IP automatically invalidates trust for security reasons.
Anti brute-force protection
The module includes a configurable lockout mechanism. After a defined number of invalid attempts, the account is temporarily locked for a configurable duration, reducing the risk of brute-force attacks on the back office.
Installation
- Download the module from your WePresta account
- Go to Modules > Module Manager in your PrestaShop back office
- Click Upload a module and select the ZIP file
- Access the configuration page to enable and adjust 2FA settings
Required database tables are automatically created and a 2FA Dashboard tab is added to the back office menu.
Configuration
General settings
From the configuration page, you can:
- Enable or disable 2FA globally
- Enforce 2FA for selected employee profiles
- Define the grace period
- Configure trusted device duration
- Set maximum failed attempts
- Define lockout duration
- Configure audit log retention period
All settings are flexible to match your company’s security policy.
Audit log
Every 2FA-related action is recorded, including:
- Successful logins
- Failed verification attempts
- Backup code usage
- Account lockouts
- Trusted device additions or revocations
- 2FA activation or deactivation
Old logs are automatically cleaned based on your retention settings.
Requirements
- PrestaShop 8.x or 9.x
- PHP 7.4 or higher
- HTTPS (SSL) strongly recommended
- A TOTP authentication app on each employee’s smartphone
Emergency recovery
If an employee loses access to both their authentication app and backup codes, three recovery methods are available:
- Disable 2FA via CLI command
- Create a temporary bypass file
- Execute a direct SQL query
These recovery options ensure you never permanently lose administrator access.
FAQ
Is the module compatible with all themes?
Yes. The module operates at the back office level and is fully compatible with standard PrestaShop themes.
Can I enforce 2FA only for SuperAdmins?
Yes. You can select exactly which employee profiles must activate 2FA.
What happens if an employee loses their phone?
They can use one of their backup codes. If those are also unavailable, emergency recovery methods can be used.
Are 2FA data securely stored?
Yes. TOTP secrets are encrypted and backup codes are hashed. A simple database export cannot expose them.
Is the trusted device feature secure?
Yes. Trust is tied to both browser and IP address. Any change invalidates the trusted status automatically.
Can 2FA be disabled globally?
Yes. A global toggle allows you to temporarily disable the feature if needed.
Does the module impact performance?
No. Verification is optimized and does not noticeably affect back office performance.
Is it compliant with security best practices?
Yes. The module follows TOTP standards and includes encryption, hashing, CSRF protection and lockout mechanisms.
Can audit logs be exported?
Logs are accessible from the 2FA dashboard and retained according to your configuration.
Does uninstalling remove all 2FA data?
Yes. All 2FA configurations, trusted devices and logs are permanently removed upon uninstall.
Support
For assistance, contact us via your WePresta customer account or email mail@wepresta.shop.
Changelog
Version 1.0.0
- Initial release
- TOTP authentication
- Backup codes
- Trusted devices
- Admin dashboard
- Audit log
- Emergency recovery methods