Magento Two-Factor Authentication (2FA) improves security by requiring two-step authentication to access the Magento Admin UI from all devices. The extension supports multiple authenticators including Google Authenticator, Authy, Duo, and U2F keys. 2FA applies to Magento Admin users only. It is not available for storefront customer accounts.
Two-Factor Authentication gives you the ability to:
- Specify which authentication providers are supported from the Admin.
- Manage and configure authenticator settings globally or per user account.
- Reset authenticators for users.
Magento Admin Workflows
Magento has new workflows for Admin users, including:
- The ability to configure the 2FA provider globally or individually.
- Admin users set their own personal 2FA at first login, and receive a confirmation email to verify their identity.
- The “Trust this device” option has been removed.
For more information, see Two-Factor Authentication in the Magento User Guide.
The 2FA extension installs when you install or upgrade to Magento Open Source or Commerce 2.4.X. The extension installs like a Core Bundled Extension (CBE).
Configure and manage 2FA
Administrators have options to:
- Review existing authenticators configured per user account
- Require specific authenticators
- Reset or remove authenticators to resolve access issues
- Revoke access for devices to resolve access issues
After selecting the supported 2FA authenticators for your Magento instance, each Magento Admin user needs to install and configure one of the supported solutions. For complete instructions, see Using Two-Factor Authentication.
|Google Authenticator||Generate and enter code from mobile app.|
|Authy||SMS, call, token, and one touch
Requirements: API keys
|U2F Keys||Physical device to authenticate, like YubiKey.||
|Duo Security||SMS and push notification.
Requirements: Integration and Secret keys, API hostname
The 2FA provider for Magento Headless can be selected with the
Magento Web API
Two-Factor Authentication is implemented for Magento Web APIs with the following changes:
AdminTokenServiceInterface::createAdminAccessToken()throws an exception when the Admin user doesn’t have personal 2FA configured, and also indicates that the confirmationh email has been sent.
AdminTokenServiceInterface::createAdminAccessToken()throws an exception that indicates which provider is configured for the user and suggests a provider-specific login endpoint.
- 2FA provider-specific endpoints allow each Admin user to configure a personal 2FA and provides tokens for username, password, and OTP (2FA code).
Magento Functional Testing Framework
MFTF uses Google Authenticator to execute tests with 2FA enabled. The following steps summarize how to configure MFTF with an encoded shared secret. For more information, see [Configuring MFTF for Two-Factor Authentication (2FA)].
Select Google Authenticator as the 2FA provider:
bin/magento config:set twofactorauth/general/force_providers google
Increase the lifetime of the window to 60 seconds to prevent tokens from expiring.
bin/magento config:set twofactorauth/google/otp_window 60
Generate a Base32-encoded string for the shared secret value. For example, encoding the string
abcdwith the online [Base32 Encode] tool returns the value
MFRGGZDF. Use the following key to add the encoded value to the MFTF
Add the encoded shared secret to Google Authenticator.
bin/magento security:tfa:google:set-secret admin MFRGGZDF
The extension supports command line options to revoke and reset authenticators. Use these commands when you cannot access the Magento Admin.
Reset authenticator per account
If you need to manually reset a single user configuration, enter the following command. It restarts configuration and 2FA subscription for the user account.
1 bin/magento security:tfa:reset <user> <provider>
Advanced emergency steps
These advanced steps require a full understanding of database management and modifications. We advise that you exercise caution when making any changes directly to your database.
In your database, you can modify the following tables and values to affect and override 2FA.
twofactorauth/general/force_providers- Delete this entry to remove forced providers option.
msp/twofactorauth/force_providers- Delete this entry to remove forced providers option.
- Delete one user row to reset the user’s 2FA preference and configuration.