Two-Factor Authentication

Magento Two-Factor Authentication (2FA) improves security by requiring two-step authentication to access the Magento Admin UI from all devices. The extension supports multiple authenticators including Google Authenticator, Authy, Duo, and U2F keys. 2FA applies to Magento Admin users only. It is not available for storefront customer accounts.

Two-Factor Authentication gives you the ability to:

  • Choose which authentication providers are supported.
  • Manage and configure authenticator settings globally.
  • Reset authenticators for users.

Admin Workflows

A Magento Admin user can perform the following 2FA workflows:

  • Initially configure the global 2FA providers.
  • Reset an authenticator associated with a user account.

See Two-Factor Authentication in the Magento User Guide.

Install 2FA

The 2FA extension installs when you install or upgrade to Magento Open Source or Adobe Commerce 2.4.x. The extension installs like a Core Bundled Extension (CBE).

Configure and manage 2FA

See the Magento User Guide to configure 2FA settings and manage user authenticators.

Administrators have options to:

  • Review existing authenticators configured per user account
  • Require specific authenticators
  • Reset or remove authenticators to resolve access issues
  • Revoke access for devices to resolve access issues

Install authenticator

After selecting the supported 2FA authenticators for your Magento instance, each Magento Admin user needs to install and configure one of the supported solutions. For complete instructions, see Using Two-Factor Authentication.

Supported authenticators

Provider Authentication Type <provider>
Google Authenticator Generate and enter code from mobile app. google
Authy SMS, call, token, and one touch
Requirements: API keys
U2F Keys Physical device to authenticate, like YubiKey. u2fkey
Duo Security SMS and push notification.
Requirements: Integration and Secret keys, API hostname

Headless Magento

The 2FA provider for Magento Headless can be selected with the config:set command.

Magento Web API

Two-Factor Authentication is implemented for Magento Web APIs with the following changes:

  • AdminTokenServiceInterface::createAdminAccessToken() throws an exception when the Admin user doesn’t have personal 2FA configured, and also indicates that the confirmation email has been sent.
  • AdminTokenServiceInterface::createAdminAccessToken() throws an exception that indicates which provider is configured for the user and suggests a provider-specific login endpoint.
  • 2FA provider-specific endpoints allow each Admin user to configure a personal 2FA and provides tokens for username, password, and OTP (2FA code).

Magento Functional Testing Framework

MFTF uses Google Authenticator to execute tests with 2FA enabled. The following steps summarize how to configure MFTF with an encoded shared secret.

  1. Select Google Authenticator as the 2FA provider:

    bin/magento config:set twofactorauth/general/force_providers google
  2. Increase the lifetime of the window to 60 seconds to prevent tokens from expiring.

    bin/magento config:set twofactorauth/google/otp_window 60
  3. Generate a Base32-encoded string for the shared secret value. For example, encoding the string abcde with the online Base32 Encode tool returns the value MFRGGZDF. Use the following key to add the encoded value to the MFTF .credentials file:

  4. Add the encoded shared secret to Google Authenticator.

    bin/magento security:tfa:google:set-secret admin MFRGGZDF


The extension supports command-line options to revoke and reset authenticators. Use these commands when you cannot access the Magento Admin.

List all available 2FA providers

If you need to know all the available 2FA providers, enter the following command.

bin/magento security:tfa:providers

Reset authenticator per account

If you need to manually reset a single user configuration, enter the following command. It restarts configuration and 2FA subscription for the user account.

bin/magento security:tfa:reset <user> <provider>

For example:

bin/magento security:tfa:reset admin google
bin/magento security:tfa:reset admin u2fkey

Advanced emergency steps

These advanced steps require a full understanding of database management and modifications. We advise that you exercise caution when making any changes directly to your database.

In your database, you can modify the following tables and values to affect and override 2FA.

Table: core_config_data

  • twofactorauth/general/force_providers - Delete this entry to remove forced providers option.
  • msp/twofactorauth/force_providers - Delete this entry to remove forced providers option.

Table: tfa_user_config

  • Delete one user row to reset the user’s 2FA preference and configuration.