The Magento admin panel is a hub for processing orders, setting up product listings, managing customers, and more. Thus, if the admin panel security is compromised, you put not only your but also your customers' sensitive data at risk.
So, you need to protect your admin panel before any harm is caused. This is where Magento two factor authentication comes into play to prevent security risks and keep your data protected.
In this guide, you'll find everything you need to know to enable, manage, and use two-factor authentication to the fullest.
What is Magento Two Factor Authentication?
The Magento two factor authentication (2FA) is a built-in security mechanism that uses two authentication factors to access the admin panel. To complete 2FA, you need something you know (a password) and something you have (an access token) or are (fingerprints, face ID, etc.).
This means that, except for the password, the admins also have to take one more step to confirm their identity. That is, enter the access code, confirm the login on a different device, authenticate with biometric data, etc.
In this case, even if the password is hacked, there is another barrier the attackers would need to deal with.
Magento two-factor authentication adds an extra security layer to your admin panel, ensuring it can withstand brute force attacks if any occur. 2FA may not be the most convenient mechanism from the user's perspective, but an extra security layer is worth the trouble.
Benefits of Magento 2 Factor Authentication
The Magento 2 two factor authentication is quite easy to set up and launch. However, it doesn't mitigate the importance and the benefits it offers in a long-term perspective.
Additional security layer
One of the key benefits of two-factor authentication is the extra security layer it adds. This way, a username and a password are not enough to access the admin panel. Users have to take one more step to authenticate.
Thus, even if the password is somehow leaked, the malicious parties won't be able to get to the admin panel straightaway. 2FA will be there to stop them.
Cost-effective implementation
Magento offers two-factor authentication functionality out of the box, so you don't have to pay extra to have it up and running. Then, it integrates different authentication providers, both paid and free ones.
Correspondigly, you can choose the most fitting option for your budget. The free services proved to be no less effective than the paid ones. So, you can set up 2FA without having to pay extra at all.
Customer and order data protection
Your admin panel stores lots of sensitive data, including customer personal information, orders, and payment details. It's your duty to keep that data safe and ensure it doesn't get leaked.
Magento two factor authentication contributes to the task and creates a safer environment for your customers.
Security standard compliance
As a merchant, you have to comply with the security measures developed for the eCommerce stores, as well as other regulations that involve customer data protection.
Besides, there may be additional company-level security requirements that apply to your business specifically.
As you might have guessed, Magento 2FA is one of the most common ways to comply with the regulations. The technology it uses fits into the security protocols and helps you make your store a safer place.
How to Set Up 2FA in Magento 2?
In Mageto 2.4.x, two-factor authentication is enabled by default. So, what you have to do is just complete the general settings and configure the selected authentication apps.
Magento integrates Google Authenticator, Duo Security, Authy, and U2F. The tools differ in pricing, implementation, and the authentication methods they offer. Just select the most convenient option for your store.
| App | Price | Authentication method |
|---|---|---|
| Google Authenticator | Free | One-time access codes |
| Duo Security | Per-user tiers starting at $3 per user/month | Push notifications, SMS, one-time access codes, etc. |
| Authy | Free | One-time access codes, voice call, SMS, etc. |
| U2F | Paid, depends on the device and provider | Hardware devices, e.g., YubiKey |
Let's now review the settings you have to complete.
General settings
To set up Magento 2 two factor authentication, navigate to Stores > Configuration > Advanced > Security > 2FA and start with the general section:
1. Select the Providers to use for 2FA. You can select multiple providers here.
2. Set the Configuration Email URL for Web API if relevant.
3. Specify the number of Retry attempts for Two-Factor Authentication. The user will be temporarily locked out after the defined number of failed authentication attempts.
4. Enter the Two-Factor Authentication lockout time to define how long a user should wait before reattempting to log in.
At this point, you can save the settings and navigate to the corresponding authentication provider sections.
Google Authenticator
Google Authenticator is a default authentication provider in Magento 2. Thus, the only field you need to fill out in its settings is the OTP Window.
It defines how long the one-time code is valid, and is 29 seconds by default. You can change the value if needed, just note that it has to be less than 30 seconds.
Duo Security
For the Duo Security configuration, you first need to register an account and acquire access to your admin dashboard. Then, grab the necessary details and specify the Integration key, Secret key, and API hostname.
Authy
Similarly, you'd first need to create an account with Authy to set it up for your Magento website. Then, enter your API key and the OneTouch Message that will be displayed on the admin login page. That's pretty much it.
U2F
If you would like to integrate the U2F key as an authentication provider, you will first need to get the physical key itself. It may be a YubiKey or any other key your admins will use for 2FA.
Then, in the settings, you can specify the WebAPI Challenge Domain if you'd like to use a custom domain for the authentication. By default, your store domain is used for this purpose.
Magento 2 Factor Authentication Workflow
Once the Magento two-factor authentication settings are completed, your admin panel users will be required to complete the initial authentication to proceed.
During the initial setup, each admin user is asked to set up 2FA for their account. Let's use Google Authenticator as an example to see the workflow.
To begin with, the admins need to install the Google Authenticator app on their phones. Then, upon login, they need to scan the QR code using the Authenticator app. This adds a new entry to the app on their mobile device.
Now that they have the 6-digit code in front of them, the only thing left is to enter it in the Authenticator code field and press Confirm.
For all further logins, admin users will only need to enter the code since the authentication provider is already configured for them.
The setup steps differ depending on the authentication provider you choose. You may find more details in the corresponding provider's documentation.
How to Manage Magento Two Factor Authentication?
Magento 2 factor authentication is undoubtedly a must for ensuring safe and secure environments. Thus, except for enabling 2FA, you should also know how to manage it effectively using the tools Magento provides out of the box.
That's exactly what we'll explore in the following chapters.
Reset authentication providers
2FA may not always work as expected. Sometimes admins can't log in due to the two-factor authentication inconsistencies.
Usually, clearing the browser cache and cookies helps to fix the issue. However, in some cases, you may need to reset the authentication providers. For that:
1. Go to System > Permissions > All Users and open the user you need to reset 2FA for.
2. Specify your password in the Current User Identity Verification section and navigate to the 2FA tab.
3. Press the Reset button under the Configuration reset section and save the user.
This will reset the Google authentication provider. So the admin user will need to repeat the initial setup.
In case you've set up different providers, you'd need to verify the reset functionality in the corresponding documentation.
Disable Magento 2FA
In some cases, Magento two factor authentication is not strictly required, like for development stores. They are used for implementing new features before pushing them to a live website, and don't work with the "live" data.
Thus, you can disable Magento 2FA in this case to simplify the development and testing. To disable 2FA in Magento 2, execute the following CLI command:
php bin/magento module:disable Magento_TwoFactorAuth
You can also disable two-factor authentication for specific users, but this will require a more complex approach.
To turn the Magento 2FA back on, run:
php bin/magento module:enable Magento_TwoFactorAuth
Important! We strongly recommend that you do not disable the Magento 2 factor authentication unless you absolutely have to. Always make sure to re-enable 2FA in the production environment if you've previously disabled it.
Magento 2FA Optimization Tips
We've already covered what Magento 2FA is, how to set up different authentication providers, and how to manage 2FA in Magento 2. But there's more.
Here are some tips on how to optimise two-factor authentication for the ultimate results.
Don't neglect a strong password
Although Magento two factor authentication creates an additional security layer, don't neglect a password. The stronger the password, the lower the chances of somebody hacking it.
So, don't ignore the good-old password security tips, and create a password that is difficult to crack.
Create a recovery plan
As mentioned earlier, two-factor authentication may not always let admins log in as expected. Regardless of the side the issue happens on — Magento or the authentication provider — it still disrupts the workflow.
You should have a recovery plan ready for such cases. The options vary from disabling 2FA temporarily to using backup accounts. The latter may have limited permissions, but still allow admins to perform customer- and order-related tasks.
The final plan depends on the specifics of your environment and resources at hand. What's important is that you have such a plan ready.
Perform regular security checks
Though Magento 2FA significantly boosts your store's security, it cannot protect you from all possible threats. Thus, it's strongly recommended to run regular security audits and keep your store in check.
The can help you do exactly that. It scans your website regularly and provides detailed reports on suspicious activity, malware injections, harmful files, and more.
It also detects if 2FA is disabled, so you will always remember to keep it on.
Example of the security reports
By enabling Magento two factor authentication, you level up your security and create a barrier against force attacks on your admin.
But Magento security is not something you can take care of once and forget. It is a continuous process of keeping your environment, customers, and data safe and protected.
To disable 2 factor authentication in Magento 2, run the following CLI command:
php bin/magento module:disable Magento_TwoFactorAuth
Be cautious when disabling 2FA, and don't do it in the production environment or unless you have to.
