After July 2021, the 2.3.x release line no longer received quality updates or user guide updates. PHP 7.3 reached end of support in December 2021, and Adobe Commerce 2.3.x reached end of support in September 2022. We strongly recommend upgrading to Adobe Commerce 2.4.x to help maintain PCI compliance.

Securing Your Magento Account

This site contains archived merchant documentation for a version of Adobe Commerce and Magento Open Source that has reached end-of-support. The documentation available here is intended for historical reference only and is not maintained. The Adobe Commerce Merchant Documentation for current releases is published on the Adobe Experience League.

Two-factor Authentication (TFA or 2FA) is an added layer of security to better protect your Magento.com account from unauthorized users who might want to use your account in ways you do not want. TFA achieves this by requiring a second factor (beyond your standard username and password combination) in order to complete the login process. This second factor takes the form of special, temporary verification codes that are continuously generated by a TFA application (on your mobile phone, for example) that is synced to your Magento.com user account. With TFA enabled, an unauthorized user must have your username and password combination (first factor) as well as access to the TFA application on your personal device (second factor) in order to log in to your Magento.com account — much more difficult and, therefore, more secure.

Before you begin

In order to use TFA, you must have a TFA application installed on your personal device (such as your smartphone, tablet, computer). There are many available, but some popular free options include:

  • Google Authenticator (iOS, Android, Blackberry)

  • Authy (iOS, Android)

  • Microsoft Authenticator (iOS, Android, Windows Phone)

Enable two-factor authentication

  1. Go to the Commerce account login: https://account.magento.com/customer/account/login

  2. Enter your username and password combination, and then click Login to log into My Account.

    Account log in

  3. In the left navigation pane, click Account Settings and click Two-factor Authentication underneath.

    Enable TFA

  4. Click Enable to begin the two-factor authentication setup process.

  5. Re-enter your Password and click Verify Password to continue.

    Verify password

  6. Open the two-factor authentication application you downloaded and installed on your personal device.

  7. Enter the Setup Code into your two-factor authentication application.

    You can either scan the QR code using the TFA application or manually enter the code into your TFA application. This will sync your TFA application with your Magento.com account and allow your TFA application to generate verification codes that Magento.com will accept.

    Verification Codes are constantly expiring and re-generated by your TFA application for security purposes, so always use the one that is currently displayed.

  8. With your two-factor authentication application now synced to your Magento.com account, enter the Verification Code displayed in your two-factor authentication application and click Verify Code to continue.

    Setup 2FA app

  9. Save the Recovery Codes presented in a safe and accessible place.

    In the event that you cannot provide a Verification Code to log into your Magento.com account (due a variety of reasons like uninstalling your two-factor authentication application, performing a factory reset on your personal device, losing your personal device, forgetting the password to your personal device, etc.), using a Recovery Code is the only way to regain access to your Magento.com account.

    Each Recovery Code is one-time use only, so do not try to re-use a Recovery Code you have already used previously (but you can always generate more—see the following for details). Recovery Codes are case-sensitive.

  10. Select the confirmation checkbox and click Submit to continue.

    Store recovery codes

  11. Enter a Recovery Email to help ensure that you can recover access to your account.

    This is needed in the event that you cannot generate a Verification Code from your two-factor authentication application and you do not have access to an unused pre-generated Recovery Code.

    Once every 24 hours, you will be able to generate and send a temporary Recovery Code to your designated Recovery email address that you can use to regain access to your account.

    It is imperative that you maintain access to the email account of your Recovery Email; otherwise, you will not be able to access any temporary Recovery Codes sent to that account.

    Set recovery email

  12. Select the confirmation checkbox and click Submit to complete the two-factor authentication setup process.

    • An email notification will be sent to the email address associated with your Magento.com to confirm that you have successfully enabled two-factor authentication.

    • An email notification will be sent to the Recovery Email you designated to confirm that particular email address is on file as your Recovery Email for receiving a temporary Recovery Code.

Log in using a verification code

  1. Go to the Magento account login: https://account.magento.com/customer/account/login

  2. Enter your username and password combination, and then click Login to log into My Account.

    Account log in

  3. Enter the Verification Code displayed in your two-factor authentication application when prompted.

    Enter verification code

  4. Click Submit to complete the login process.

Log in using a recovery code

  1. Go to the Magento account login: https://account.magento.com/customer/account/login

  2. Enter your username and password combination, and then click Login to log into My Account.

    Account log in

  3. Click Use recovery code to bypass the verification code prompt.

    Enter verification code

  4. Enter an unused Recovery Code when prompted.

    Enter recovery code

  5. Click Submit to complete the login process.

Log in using your recovery email

  1. Log in to your Magento.com account at https://account.magento.com/customer/account/login.

  2. Enter your username and password combination, and then click Login to log into My Account.

    Account log in

  3. Click Use recovery code to bypass the verification code prompt.

    Use recovery code

  4. Click the recovery email link to have a temporary Recovery Code sent to the Recovery Email address on file for your Magento.com account.

    Use recovery email

  5. Access the email account of your Recovery Email to retrieve the temporary Recovery Code and enter it into the designated fields.

  6. Click Submit to complete the login process.

    • Because the Recovery Email capability is only available once every 24 hours, it is strongly recommended that you generate new Recovery Codes and securely store them to avoid any future issues with accessing your Magento.com account.

    • It is also strongly recommended that you change your two-factor authentication application (if you have a device available) to able to generate Verification Codes again and use them to access your Magento.com account.

View your recovery codes

  1. Go to the Magento account login: https://account.magento.com/customer/account/login

  2. Enter your username and password combination, and then click Login to log into My Account.

    Account log in

  3. Complete the login process using one of the two-factor authentication methods described earlier.

  4. In the left navigation pane, click Account Settings and click Two-factor Authentication underneath.

    2FA settings

  5. Click View Recovery Codes to view your pre-generated Recovery Codes.

  6. Re-enter your Password and click Verify Password to continue.

    Verify password

  7. Save the Recovery Codes presented in a safe and accessible place.

    In the event that you cannot provide a Verification Code to log into your Magento.com account (due a variety of reasons like uninstalling your two-factor authentication application, performing a factory reset on your personal device, losing your personal device, forgetting the password to your personal device, etc.), using a Recovery Code is the only way to regain access to your Magento.com account.

    Each Recovery Code is one-time use only, so do not try to re-use a Recovery Code you have already used previously (but you can always generate more—see the following for details). Recovery Codes are case-sensitive.

    View recovery codes

  8. Select the confirmation checkbox and click Submit to close the dialog.

Generate new recovery codes

  1. Go to the Magento account login: https://account.magento.com/customer/account/login

  2. Enter your username and password combination, and then click Login to log into My Account.

    Account log in

  3. Complete the login process using one of the two-factor authentication methods described earlier.

  4. In the left navigation pane, click Account Settings and click Two-factor Authentication underneath.

    TFA settings

  5. Click Generate New Recovery Codes to generate new pre-generated Recovery Codes.

  6. Re-enter your Password and click Verify Password to continue.

    Verify password

  7. Save the Recovery Codes presented in a safe and accessible place.

    In the event that you cannot provide a Verification Code to log into your Magento.com account (due a variety of reasons like uninstalling your two-factor authentication application, performing a factory reset on your personal device, losing your personal device, forgetting the password to your personal device, etc.), using a Recovery Code is the only way to regain access to your Magento.com account.

    All previously generated Recovery Codes are now rendered invalid and should be discarded (only the current set of generated Recovery Codes will work). Recovery Codes are case-sensitive.

    Generate recovery codes

  8. Select the confirmation checkbox and click Submit to close the dialog.

Change your recovery email

  1. Go to the Magento account login: https://account.magento.com/customer/account/login

  2. Enter your username and password combination, and then click Login to log into My Account.

    Account log in

  3. Complete the login process using one of the two-factor authentication methods described earlier.

  4. In the left navigation pane, click Account Settings and click Two-factor Authentication underneath.

    TFA settings

  5. Click Change Recovery Email to change the Recovery Email on file for your account.

  6. Re-enter your Password and click Verify Password to continue.

    Verify password

  7. Enter a Recovery Email to help ensure that you can recover access to your account.

    This is needed in the event that you cannot generate a Verification Code from your two-factor authentication application and you do not have access to an unused pre-generated Recovery Code.

    Once every 24 hours, you will be able to generate and send a temporary Recovery Code to your designated Recovery email address that you can use to regain access to your account.

    It is imperative that you maintain access to the email account of your Recovery Email; otherwise, you will not be able to access any temporary Recovery Codes sent to that account.

    Set recovery email

  8. Select the confirmation checkbox and click Submit to close the dialog.

    This sends an email notification to the Recovery Email you designated to confirm that particular email address is on file as your Recovery Email for receiving temporary Recovery Codes.

Change your two-factor authentication application

  1. Go to the Magento account login: https://account.magento.com/customer/account/login

  2. Enter your username and password combination, and then click Login to log into My Account.

    Account log in

  3. Complete the login process using one of the two-factor authentication methods described earlier.

  4. In the left navigation pane, click Account Settings and click Two-factor Authentication underneath.

    TFA settings

  5. Click Change TFA Application to use a different TFA application with your Magento.com account.

  6. Re-enter your Password and click Verify Password to continue.

    Verify password

  7. Open the two-factor authentication application you downloaded and installed on your personal device.

  8. Enter the Setup Code into your two-factor authentication application.

    You can either scan the QR code using the two-factor authentication application or manually enter the code into your two-factor authentication application. This will sync your two-factor authentication application with your Magento.com account and allow your two-factor authentication application to generate verification codes that Magento.com will accept.

    Verification Codes are constantly expiring and re-generated by your two-factor authentication application for security purposes, so always use the one that is currently displayed.

  9. With your TFA application now synced to your Magento.com account, enter the Verification Code displayed in your TFA application and click Verify Code to continue.

    Setup TFA app

  10. Save the Recovery Codes presented in a safe and accessible place.

    In the event that you cannot provide a Verification Code to log into your Magento.com account (due a variety of reasons like uninstalling your two-factor authentication application, performing a factory reset on your personal device, losing your personal device, forgetting the password to your personal device, etc.), using a Recovery Code is the only way to regain access to your Magento.com account.

    Each Recovery Code is one-time use only, so do not try to re-use a Recovery Code you have already used previously (but you can always generate more—see the previous for details). Recovery Codes are case-sensitive.

  11. Select the checkbox to confirm and click Submit to continue.

    Store recovery codes

  12. Enter a Recovery Email to help ensure that you can recover access to your account.

    This is needed in the event that you cannot generate a Verification Code from your two-factor authentication application and you do not have access to an unused pre-generated Recovery Code.

    Once every 24 hours, you will be able to generate and send a temporary Recovery Code to your designated Recovery email address that you can use to regain access to your account.

    It is imperative that you maintain access to the email account of your Recovery Email; otherwise, you will not be able to access any temporary Recovery Codes sent to that account.

    Set recovery email

  13. Select the confirmation checkbox and click Submit to complete the two-factor authentication setup process.

    An email notification will be sent to the Recovery Email you designated to confirm that particular email address is on file as your Recovery Email for receiving a temporary Recovery Code.

Disable two-factor authentication

  1. Go to the Magento account login: https://account.magento.com/customer/account/login

  2. Enter your username and password combination, and then click Login to log into My Account.

    Account log in

  3. Complete the login process using one of the two-factor authentication methods described earlier.

  4. In the left navigation pane, click Account Settings and click Two-factor Authentication underneath.

    TFA settings

  5. Click Disable to begin the TFA deactivation process.

  6. Re-enter your password and click Verify Password to continue.

    Verify password

  7. Select the confirmation checkbox and click Submit to complete the deactivation for two-factor authentication.

    You will also receive an email confirmation indicating that TFA has been disabled on your Magento.com account.

    Disable TFA

© 2024 Adobe. All rights reserved.