Two-Factor Authentication

Magento Two-Factor Authentication (2FA) improves security by requiring two-step authentication to access the Magento Admin UI from all devices. The extension supports multiple authenticators including Google Authenticator, Authy, Duo, and U2F keys. 2FA applies to Magento Admin users only. It is not available for storefront customer accounts.

Two-Factor Authentication gives you the ability to:

  • Specify which authentication providers are supported from the Admin.
  • Manage and configure authenticator settings globally or per user account.
  • Reset authenticators for users.

Magento Admin Workflows

Magento has new workflows for Admin users, including:

  • The ability to configure the 2FA provider globally or individually.
  • Admin users set their own personal 2FA at first login, and receive a confirmation email to verify their identity.
  • The “Trust this device” option has been removed.

For more information, see Two-Factor Authentication in the Magento User Guide.

Install 2FA

The 2FA extension installs when you install or upgrade to Magento Open Source or Commerce 2.4.X. The extension installs like a Core Bundled Extension (CBE).

Configure and manage 2FA

See the Magento User Guide to configure 2FA settings and manage user authenticators.

Administrators have options to:

  • Review existing authenticators configured per user account
  • Require specific authenticators
  • Reset or remove authenticators to resolve access issues
  • Revoke access for devices to resolve access issues

Install authenticator

After selecting the supported 2FA authenticators for your Magento instance, each Magento Admin user needs to install and configure one of the supported solutions. For complete instructions, see Using Two-Factor Authentication.

Supported authenticators

Provider Authentication Type <provider>
Google Authenticator Generate and enter code from mobile app. google
Authy SMS, call, token, and one touch
Requirements: API keys
authy
U2F Keys Physical device to authenticate, like YubiKey. u2fkey
Duo Security SMS and push notification.
Requirements: Integration and Secret keys, API hostname
duo

Headless Magento

The 2FA provider for Magento Headless can be selected with the config:set command.

Magento Web API

Two-Factor Authentication is implemented for Magento Web APIs with the following changes:

  • AdminTokenServiceInterface::createAdminAccessToken() throws an exception when the Admin user doesn’t have personal 2FA configured, and also indicates that the confirmationh email has been sent.
  • AdminTokenServiceInterface::createAdminAccessToken() throws an exception that indicates which provider is configured for the user and suggests a provider-specific login endpoint.
  • 2FA provider-specific endpoints allow each Admin user to configure a personal 2FA and provides tokens for username, password, and OTP (2FA code).

Magento Functional Testing Framework

MFTF uses Google Authenticator to execute tests with 2FA enabled. The following steps summarize how to configure MFTF with an encoded shared secret. For more information, see [Configuring MFTF for Two-Factor Authentication (2FA)]((/guides/v2.4/security/two-factor-authentication.html#magento-functional-testing-framework).

  1. Select Google Authenticator as the 2FA provider:

    1
    
    bin/magento config:set twofactorauth/general/force_providers google
    
  2. Increase the lifetime of the window to 60 seconds to prevent tokens from expiring.

    1
    
    bin/magento config:set twofactorauth/google/otp_window 60
    
  3. Generate a Base32-encoded string for the shared secret value. For example, encoding the string abcd with the online Base32 Encode tool returns the value MFRGGZDF. Use the following key to add the encoded value to the MFTF .credentials file:

    1
    
    magento/tfa/OTP_SHARED_SECRET=MFRGGZDF
    
  4. Add the encoded shared secret to Google Authenticator.

    1
    
    bin/magento security:tfa:google:set-secret admin MFRGGZDF
    

Troubleshooting

The extension supports command line options to revoke and reset authenticators. Use these commands when you cannot access the Magento Admin.

Reset authenticator per account

If you need to manually reset a single user configuration, enter the following command. It restarts configuration and 2FA subscription for the user account.

1
bin/magento security:tfa:reset <user> <provider>

Advanced emergency steps

These advanced steps require a full understanding of database management and modifications. We advise that you exercise caution when making any changes directly to your database.

In your database, you can modify the following tables and values to affect and override 2FA.

Table: core_config_data

  • twofactorauth/general/force_providers - Delete this entry to remove forced providers option.
  • msp/twofactorauth/force_providers - Delete this entry to remove forced providers option.

Table: tfa_user_config

  • Delete one user row to reset the user’s 2FA preference and configuration.