After July 2021, the 2.3.x release line no longer received quality updates or user guide updates. PHP 7.3 reached end of support in December 2021, and Adobe Commerce 2.3.x reached end of support in September 2022. We strongly recommend upgrading to Adobe Commerce 2.4.x to help maintain PCI compliance.

Two-Factor Authentication

This site contains archived merchant documentation for a version of Adobe Commerce and Magento Open Source that has reached end-of-support. The documentation available here is intended for historical reference only and is not maintained. The Adobe Commerce Merchant Documentation for current releases is published on the Adobe Experience League.

The Magento Admin provides all access to your store, orders, and customer data. To further increase security to your Magento instance, Magento Two-Factor Authentication (2FA) adds support for two-step authentication for multiple providers. When enabled, users attempting to access the Admin must complete a second step to verify their account. All features and requirements are restricted to Admin user accounts, not extended to customer accounts.

Step 1: Enable 2FA and Supported Providers

  1. On the Admin sidebar, go to Stores > Settings > Configuration.

  2. In the left panel, expand Security and choose 2FA.

    Security configuration - 2FA Enable 2FA for the Admin

  3. Expand (Expansion selector) the General section, if necessary, and set Enable Two Factor Auth to Yes.

  4. (Optional) For Force Providers, select the authenticators you require for all users.

    To allow users to select their own authenticator, do not select an option.

  5. Enable and configure each authentication provider that you support.

  6. When complete, click Save Config.

    Each enabled authenticator becomes a supported option for user accounts.

Google Authenticator

  1. Enable this provider — Set to Yes.

  2. (Optional) Enable “trust this device” option — Set to one of the following:

    • Yes — The user does not have to enter their authenticator code for every login per device.
    • No — Forces authentication for every login.

    Security configuration - Google Authenticator Google Authenticator

U2F Devices (Yubikey and others)

  1. Enable this provider — Set to Yes.

  2. (Optional) Enable “trust this device” option — Set to one of the following:

    • Yes — The user does not have to enter their authenticator code for every login per device.
    • No — Forces authentication for every login.

    Security configuration - U2F devices U2F Devices

Duo Security

  1. Enable this provider — Set to Yes.

  2. (Optional) Enable “trust this device” option — Set to one of the following:

    • Yes — The user does not have to enter their authenticator code for every login per device.
    • No — Forces authentication for every login.

  3. Enter the following keys for your account:

    • Integration key
    • Secret key

  4. Enter the API hostname.

    Security configuration - Duo Duo Security

Authy

  1. Enable this provider — Set to Yes.

  2. Enter the API key for your Authy account.

  3. (Optional) Enable “trust this device” option — Set to one of the following:

    • Yes — The user does not have to enter their authenticator code for every login per device.
    • No — Forces authentication for every login.

  4. (Optional) To change the OneTouch Message, clear the Use system value checkbox. Then, enter the message that you want to use.

    Security configuration - Authy Authy

Step 2: Configure Required Authenticator Provider

You must choose at least one authenticator supported per user account, or force an authenticator globally for all accounts. We recommend setting or forcing only one authenticator for the Magento Admin. If you select multiple authenticators, the user must input tokens for all selections.

  • Set required authenticators per user account—Supports multiple types of authenticators and allows you to set an authenticator per account depending on user or office needs.
  • Force global authenticator for all accounts—Strictly requires all Magento Admin users to access using the selected authenticator(s).

Set required authenticators per user account

With one or more authenticators enabled for the Magento Admin, you can require one or more authenticators per Admin user account. For this option, keep Use system value selected for Force providers and enable/configure supported authenticator providers.

We recommend only enabling one authenticator per account. If you require multiple authenticators, the user must authenticate with each one. For example, if you select Google and U2F, the user must access with a Google Authenticator code and connect a U2F device.

  1. On the Admin sidebar, go to Stores > Settings > All Users.

  2. Do one of the following:

    • Select and edit a user from the list.
    • Add a new user account.

  3. In the User Information menu, select 2FA.

  4. On the page, select the checkbox of the authenticator that you want to require for the user account.

    The list includes all enabled and configured authenticator providers.

  5. When complete, click Save User.

    User account - 2FA Enable 2FA for User

Force global authenticator for all accounts

This option requires all Admin users to configure and use all forced authenticators to access the Magento Admin. We recommend that you assign one authenticator to be forced.

  1. On the Admin sidebar, go to Stores > Settings > Configuration.

  2. In the left panel, expand Security and choose 2FA. Then, do the following:

    • In the General section, clear the Use system value checkbox for Force providers.

    • Select one or more authenticators.

  3. When complete, click Save Config.

    Security configuration - 2FA force providers Force providers for all user accounts

© 2024 Adobe. All rights reserved.