Looking for someone to develop a two-factor login scheme for vendors and admins

I would like to know what it would cost to create a addon module that would improve security for the admin and vendor control panels in the cart. This addon should have the following features:

  1. Create an IP allow list. This IP allow list will hold IP address information that will show admin/vendor user name and thier assoiciated IP's that they have logged in with.

  2. Create a two-factor login system for the vendor and admin areas. It will work this way:

    The admin or vendor logs into the cart using their username and password just like they do now. The two-factor login script that you will create will check that to see if the user has logged before. If they have logged in before it will check to see what IP addresses they have logged in from. If the IP address is on the list it will allow them to access the control panel without any further authentication needed.

    If they have not logged in before from an IP address in the allow list the scipt will do the following:

    a. bring up another login field that says that the following: “You are accessing the admin system from an unknown IP address. We have e-mailed you a pin code. Please enter the pin code to access the control panel.” The two-factor authenitcation script will e-mail the user names e-mail address on file a randomly generated pin code from our stores e-mail address. It should also have the ability for the user to have the system send another pin code if they did not recieve the first one. The user can then input the pin code into the site and click login. If the pin code is correct the system will grant access to the admin area and add the IP address to the IP allow list. If it is in-correct the system will deny access using the features in the “Access Restrictions Addon” This will block their IP if they attempt to login using the wrong code more than so many times.

    The randomly generated code should have the following features:
  3. It should only be used once.
  4. It should consist of special characters, Numbers and letters.
  5. It should only be good for 2-hours after the e-mail was sent with the code. After 2-hours the system should delete the pin code from the system.

    The IP allow list table should contain both the username, IP address, pin code used, along with the date logged in for the as fields. It should have the following features:
  6. The IP addresses should be removed from the table automatically after 30-days. This will force the system update the IP address in the table as users log in. After 30-days the user will have to authenticate their IP address again.
  7. The Pin Code field is used to ensure that no pin code is used twice at the same time for two differnet IP addresses. The random pin code generator will have to generate a pin code that is not in use in this table.

    This addon should be created for Multi-Version Vendor 2.2.4. It should also be created as an addon to make upgrading in the future easier.

    This is only for Vendor and Admin users. This should not affect the customers!

These security features are definitely a good idea, however, I fail to see why you would want to increase your cost base for functionalities which are already available in quite a few hosting environments. WHM+ConfigServer Firewall can be set up to pretty much do all of your requirements except the latter parts with regards to 30 day access keys. Perhaps CSF can do this, but as far as I have used it for and seen fit, I haven't looked into it any further.

@stellar - not sure that will work for him since he wants it to apply to Admin/Vendor only and not Customer. He's not tryig to restrict access, but rather to authenticate a user via email or other secondary authentication if the user comes from an IP that they've not come from before.

[sub]That is correct. I am not trying to block all users. I only want an extra authentication step to be put in place for admin users that have not authenticated from a known computer. So if the admin logs into the site. The system will check to see if they have logged in before from thier location. If not, the system will require additional authentication such as an E-mail. If they have logged in before from a location the system will allow them to log in without any more authentication.[/sub]