Adobe Commerce 2.3 reached end of support in September 2022.

Two-Factor Authentication

Magento Two-Factor Authentication (2FA) improves security by requiring two-step authentication to access the Admin UI from all devices. The extension supports multiple authenticators including Google Authenticator, Authy, Duo, and U2F keys. It applies to Admin UI users only; it does not apply to storefront customer accounts.

Two-Factor Authentication gives you the ability to:

  • Enable authenticator support for the Admin.
  • Manage and configure authenticator settings globally or per user account.
  • Reset authenticators and manage trusted devices for users.

At this time, Two-Factor Authentication can be installed only from the command line.

Install 2FA

The 2FA extension installs when you install or upgrade to Magento Open Source or Adobe Commerce 2.3.X. This extensions installs like a Core Bundled Extension (CBE).

Configure and manage 2FA

See the User Guide to configure 2FA settings and manage user authenticators.

Administrators have options to:

  • Review existing authenticators configured per user account
  • Require specific authenticators
  • Reset or remove authenticators to resolve access issues
  • Revoke access for devices to resolve access issues

Install authenticator

After enabling and configuring 2FA for your Magento instance, Admin users need to install and configure an authenticator. For complete instructions, see Using Two-Factor Authentication.

Supported authenticators

Provider Authentication Type <provider>
Google Authenticator Generate and enter code from mobile app Requirements: Enable in Admin google
Authy SMS, call, token, and one touch
Requirements: Enable in Admin and API keys
authy
U2F Keys Physical device to authenticate, like YubiKey.
Requirements: Enable in Admin
u2fkey
Duo Security SMS and push notification.
Requirements: Enable in Admin, Integration and Secret keys, API hostname
duo

Troubleshooting

The extension supports command line options for disabling, revoking, and resetting authenticators. Use these commands when you cannot access the Admin UI.

List all available 2FA providers

If you need to know all the available 2FA providers, enter the following command.

1
bin/magento msp:security:tfa:providers

Disable authenticator

If you have issues with 2FA, you can disable 2FA globally for the Magento instance.

1
bin/magento msp:security:tfa:disable

Reset authenticator per account

If you need to manually reset a single user configuration, enter the following command. It restarts configuration and 2FA subscription for the user account.

1
bin/magento msp:security:tfa:reset <username> <provider>

For example:

1
bin/magento msp:security:tfa:reset admin google
1
bin/magento msp:security:tfa:reset admin u2fkey

Advanced emergency steps

These advanced steps require a full understanding of database management and modifications. We advise caution when making any changes directly to your database.

In your database, you can modify the following tables and values to affect and override 2FA.

Table: core_config_data

  • msp/twofactorauth/enabled - Set to zero to disable 2FA globally.
  • msp/twofactorauth/force_providers - Delete this entry to remove forced providers option.

Table: msp_tfa_user_config

  • Delete one user row to reset the user’s 2FA preference and configuration.