2FA for Bagisto V1.1.0 (updated)

Free Get Extension

Compatibility	Bagisto v2.3.x
Created	2 months ago
Document	User Guide
Support	Support

2FA for Bagisto V1.1.0 (updated) Slider Image 0

2FA for Bagisto V1.1.0 (updated) Slider Image 1

2FA for Bagisto V1.1.0 (updated) Slider Image 2

2FA for Bagisto V1.1.0 (updated) Slider Image 3

CartCan 2FA for Bagisto

Enterprise-grade Two-Factor Authentication for Bagisto with zero external dependencies. CartCan 2FA v1.1.0 adds robust security to your admin panel using TOTP protocol with all libraries pre-bundled. Features replay attack protection, super admin email notifications, multi-admin isolation, and security audit logging. Admins set it up via QR code with Google Authenticator, Authy, or Microsoft Authenticator. Includes AES-256 encrypted storage, 10 recovery codes, configurable email reset system, rate limiting, and seamless integration with native Bagisto 2.3.x admin interface. 5-minute installation, production-ready.

Enterprise-Grade Admin Panel
Security

Zero-Dependency 2FA Security

Transform your Bagisto admin panel into an impregnable fortress with this standalone Two-Factor Authentication extension. Developed and maintained by CartCan™, this professional security system adds robust protection using industry-standard TOTP protocol. All libraries are pre-bundled — no external dependencies required. You get enterprise-grade security ready to deploy in five minutes, with no coding, setup complexity, or developer assistance needed.

Built for Bagisto 2.3+

Designed to integrate seamlessly with your Bagisto 2.3.x store, this 2FA system gives you reliable, secure protection for every administrator account — from super-admins to regular managers — all through a native admin interface that feels familiar and intuitive.

Works with Google Authenticator, Authy, and Microsoft Authenticator for industry-standard security
One-scan QR code setup for instant enrollment without manual configuration
Military-grade AES-256 encryption protects all secrets and recovery codes
10 encrypted recovery codes provide emergency access when devices are unavailable

Advanced Security Features

Version 1.1.0 introduces enterprise-level protection mechanisms designed for store owners who demand measurable security improvements. Multiple layers of advanced security work seamlessly inside your Bagisto dashboard with zero training required.

Replay attack protection prevents code reuse
Super admin email alerts for security events
Multi-admin protection blocks unauthorized changes
Complete audit logging with full details
Session-based email verification for resets
Rate limiting blocks brute-force attacks

Version 1.1.0

Release Date: February 3, 2026

 text-[#414141] break-all whitespace-pre-wrap break-words ]<strong>🔒 Security Enhancements</strong>
✅ Replay Attack Protection - Timestamp tracking prevents code reuse
✅ Multi-Admin Protection - Prevents cross-admin 2FA manipulation
✅ Session-Based Verification - Email reset links require active sessions

<strong>🚨 New Features</strong>
✅ Super Admin Notifications - Email alerts for all security events
✅ Configurable Security Policies - New environment variables
✅ Enhanced Audit Logging - Complete forensic trails

<strong>⚙️ Configuration Options</strong>
✅ CARTCAN_2FA_NOTIFY_SUPERADMINS (default: true)
✅ CARTCAN_2FA_EMAIL_EXPIRY (default: 30 minutes)
✅ CARTCAN_2FA_REQUIRE_SESSION (default: true)

<strong>🐛 Bug Fixes</strong>
✅ Fixed view namespace resolution for email templates
✅ Improved recovery code validation with constant-time comparison
✅ Made migrations idempotent with Schema::hasColumn() checks

<strong>📊 Database Changes</strong>
✅ Added two_factor_last_used_at column for replay detection

text-[#414141] break-all whitespace-pre-wrap break-words ]🔒 Security Enhancements

✅ Replay Attack Protection - Timestamp tracking prevents code reuse

✅ Multi-Admin Protection - Prevents cross-admin 2FA manipulation

✅ Session-Based Verification - Email reset links require active sessions

🚨 New Features

✅ Super Admin Notifications - Email alerts for all security events

✅ Configurable Security Policies - New environment variables

✅ Enhanced Audit Logging - Complete forensic trails

⚙️ Configuration Options

✅ CARTCAN_2FA_NOTIFY_SUPERADMINS (default: true)

✅ CARTCAN_2FA_EMAIL_EXPIRY (default: 30 minutes)

✅ CARTCAN_2FA_REQUIRE_SESSION (default: true)

🐛 Bug Fixes

✅ Fixed view namespace resolution for email templates

✅ Improved recovery code validation with constant-time comparison

✅ Made migrations idempotent with Schema::hasColumn() checks

📊 Database Changes

✅ Added two_factor_last_used_at column for replay detection

Version 1.0.0

Release Date: December 12, 2025

 text-[#414141] break-all whitespace-pre-wrap break-words ]<strong>🎉 First Published</strong>

✅ Standard TOTP authentication (RFC 6238)
✅ QR code generation with Imagick/GD support
✅ 10 encrypted recovery codes
✅ Email-based reset system with signed URLs
✅ Rate limiting and brute-force protection
✅ Native Bagisto 2.3+ integration
✅ AES-256 encryption for all sensitive data
✅ Post-login challenge middleware
✅ Multi-language support

text-[#414141] break-all whitespace-pre-wrap break-words ]🎉 First Published

✅ Standard TOTP authentication (RFC 6238)

✅ QR code generation with Imagick/GD support

✅ 10 encrypted recovery codes

✅ Email-based reset system with signed URLs

✅ Rate limiting and brute-force protection

✅ Native Bagisto 2.3+ integration

✅ AES-256 encryption for all sensitive data

✅ Post-login challenge middleware

✅ Multi-language support