Two-Factor Authentication
Magento Two-Factor Authentication (2FA) improves security by requiring two-step authentication to access the Admin UI from all devices. The extension supports multiple authenticators including Google Authenticator, Authy, Duo, and U2F keys. It applies to Admin UI users only; it does not apply to storefront customer accounts.
Two-Factor Authentication gives you the ability to:
- Enable authenticator support for the Admin.
- Manage and configure authenticator settings globally or per user account.
- Reset authenticators and manage trusted devices for users.
At this time, Two-Factor Authentication can be installed only from the command line.
Install 2FA
The 2FA extension installs when you install or upgrade to Magento Open Source or Adobe Commerce 2.3.X. This extensions installs like a Core Bundled Extension (CBE).
Configure and manage 2FA
See the User Guide to configure 2FA settings and manage user authenticators.
Administrators have options to:
- Review existing authenticators configured per user account
- Require specific authenticators
- Reset or remove authenticators to resolve access issues
- Revoke access for devices to resolve access issues
Install authenticator
After enabling and configuring 2FA for your Magento instance, Admin users need to install and configure an authenticator. For complete instructions, see Using Two-Factor Authentication.
Supported authenticators
Provider | Authentication Type | <provider> |
---|---|---|
Google Authenticator | Generate and enter code from mobile app Requirements: Enable in Admin | google |
Authy | SMS, call, token, and one touch Requirements: Enable in Admin and API keys |
authy |
U2F Keys | Physical device to authenticate, like YubiKey. Requirements: Enable in Admin |
u2fkey |
Duo Security | SMS and push notification. Requirements: Enable in Admin, Integration and Secret keys, API hostname |
duo |
Troubleshooting
The extension supports command line options for disabling, revoking, and resetting authenticators. Use these commands when you cannot access the Admin UI.
List all available 2FA providers
If you need to know all the available 2FA providers, enter the following command.
1
bin/magento msp:security:tfa:providers
Disable authenticator
If you have issues with 2FA, you can disable 2FA globally for the Magento instance.
1
bin/magento msp:security:tfa:disable
Reset authenticator per account
If you need to manually reset a single user configuration, enter the following command. It restarts configuration and 2FA subscription for the user account.
1
bin/magento msp:security:tfa:reset <username> <provider>
For example:
1
bin/magento msp:security:tfa:reset admin google
1
bin/magento msp:security:tfa:reset admin u2fkey
Advanced emergency steps
These advanced steps require a full understanding of database management and modifications. We advise caution when making any changes directly to your database.
In your database, you can modify the following tables and values to affect and override 2FA.
Table: core_config_data
msp/twofactorauth/enabled
- Set to zero to disable 2FA globally.msp/twofactorauth/force_providers
- Delete this entry to remove forced providers option.
Table: msp_tfa_user_config
- Delete one user row to reset the user’s 2FA preference and configuration.