We Have An Ecommerce Webstie And We Want To Implem
Product Requirements Document

Product Requirements Document: Admin Area 2FA and Lockout

1. Introduction/Overview

This document outlines the requirements for implementing Two-Factor Authentication (2FA) and account lockout functionality within the admin area of our Sylius-based e-commerce website. This feature will significantly enhance security by reducing the risk of unauthorized access and data breaches, mitigating potential brute-force attacks, and protecting sensitive admin data and configurations. This feature will prevent accidental or malicious changes to the system.

Goal: To implement robust 2FA and lockout mechanisms for the admin area, enhancing overall security and protecting sensitive data.

2. Goals

  • Implement 2FA using the SchebTwoFactorBundle to protect admin accounts.
  • Implement account lockout after a defined number of failed login attempts.
  • Minimize disruption to existing admin workflows while maximizing security.
  • Ensure the system is resilient against brute-force attacks.
  • Increase the security of the system.

3. User Stories

  • As an administrator, I want to log in to the admin panel securely using 2FA, so that unauthorized users cannot access my account even if they have my password.
  • As an administrator, I want to receive a 2FA code via email, as this is a convenient and accessible method for me.
  • As an administrator, I want to be automatically locked out of my account after a certain number of failed login attempts, so that attackers cannot brute-force my password.
  • As a system administrator, I want to configure the number of failed login attempts before lockout, the lockout duration, and the available 2FA methods, so that I can tailor the security settings to our specific needs.
  • As a system, I must notify the admin user or security team upon an account lockout to be informed about potential security threats.

4. Functional Requirements

  1. The system must integrate the SchebTwoFactorBundle (version 5.x) for 2FA functionality.
  2. The system must override the Sylius admin_user resource with a custom AdminUser class to store 2FA-related data (e.g., preferred 2FA method, authentication codes).
  3. The system must update the admin user form to include a field for setting the preferred 2FA method (defaulting to email).
  4. The system must send 2FA codes via email using our existing transactional email system and templates. The existing email template will be overridden.
  5. The system must implement brute-force protection to prevent attackers from repeatedly attempting to guess passwords.
  6. The system must lock out an admin account after 5 failed login attempts.
  7. The system must have a configurable lockout duration. The lockout duration will be set to 15 minutes.
  8. The system must support email as the only 2FA method.
  9. The system must prompt the user to enter a 2FA code after successful username/password authentication.
  10. The system must verify the entered 2FA code against the stored code for the user.
  11. The system must grant access to the admin panel only upon successful 2FA code validation.
  12. The system must log all failed login attempts and lockout events.
  13. The system must notify the administrator that the account has been locked out due to too many failed login attempts. An email will be sent to the admin user.

5. Non-Goals (Out of Scope)

  • Implementing 2FA for customer accounts.
  • Integrating with third-party authentication providers (e.g., Google Authenticator).
  • Providing detailed security reports and analytics.
  • Developing a custom 2FA solution instead of using the bundle.
  • Offering advanced user training on security best practices.
  • Implementing biometric authentication methods.
  • Implementing IP restrictions.

6. Design Considerations

  • The admin user form should be updated in a way that is consistent with the existing Sylius UI/UX.
  • The email template for sending 2FA codes should be responsive and branded appropriately.
  • Consider using existing Sylius form types and styling components where possible.

7. Technical Considerations

  • The SchebTwoFactorBundle version 5.x should be used due to compatibility and reduced configuration complexity.
  • Ensure proper integration with the Sylius user management system.
  • Consider the performance impact of the 2FA and lockout mechanisms on the overall system.
  • The existing Auth module will be updated.
  • Careful consideration should be given to error handling and logging.

8. Success Metrics

  • Reduction in the number of unauthorized login attempts.
  • No successful brute-force attacks reported.

9. Open Questions

  • Are there any specific security policies or compliance requirements that need to be considered?
  • What is the desired lockout duration after multiple failed attempts?

Application Log