Two-Factor Authentication

The Magento Admin provides all access to your store, orders, and customer data. To further increase security to your Magento instance, Magento Two-Factor Authentication (2FA) adds support for two-step authentication for multiple providers. When enabled, users attempting to access the Admin must complete a second step to verify their account. All features and requirements are restricted to Admin user accounts, not extended to customer accounts.

Step 1: Enable 2FA and Supported Providers

  1. On the Admin sidebar, click Stores.

  2. Under Settings, choose Configuration.

  3. In the panel on the left under Security, choose 2FA.

    Enable 2FA for the Admin

  4. Expand ( ) the General section, if necessary. Then, set Enable Two Factor Auth to Yes.

  5. (Optional) For Force Providers, select the authenticators you require for all users. To allow users to select their own authenticator, do not select an option.

  6. Enable and configure each authentication provider that you support and then click Save Config. Each enabled authenticator becomes a supported option for user accounts.

Google Authenticator

  1. Enable this provider—Set to Yes.

  2. (Optional)Enable “trust this device” option—Set to one of the following:

    • Yes—The user does not have to enter their authenticator code for every login per device.
    • No—Forces authentication for every login.

    Google Authenticator

U2F Devices (Yubikey and others)

  1. Enable this provider—Set to Yes.

  2. (Optional)Enable “trust this device” option—Set to one of the following:

    • Yes—The user does not have to enter their authenticator code for every login per device.
    • No—Forces authentication for every login.

    U2F Devices

Duo Security

  1. Enable this provider—Set to Yes.

  2. (Optional)Enable “trust this device” option—Set to one of the following:

    • Yes—The user does not have to enter their authenticator code for every login per device.
    • No—Forces authentication for every login.
  3. Enter the following keys for your account:

    • Integration key
    • Secret key
  4. Enter the API hostname.

    Duo Security

Authy

  1. Enable this provider—Set to Yes.

  2. Enter the API key for your Authy account.

  3. (Optional)Enable “trust this device” option—Set to one of the following:

    • Yes—The user does not have to enter their authenticator code for every login per device.
    • No—Forces authentication for every login.
  4. (Optional) To change the OneTouch Message, clear the Use system value checkbox. Then, enter the message that you want to use.

    Authy

Step 2: Configure Required Authenticator Provider

You must choose at least one authenticator supported per user account, or force an authenticator globally for all accounts. We recommend setting or forcing only one authenticator for the Magento Admin. If you select multiple authenticators, the user must input tokens for all selections.

  • Set required authenticators per user account—Supports multiple types of authenticators and allows you to set an authenticator per account depending on user or office needs.
  • Force global authenticator for all accounts—Strictly requires all Magento Admin users to access using the selected authenticator(s).

Set required authenticators per user account:

With one or more authenticators enabled for the Magento Admin, you can require one or more authenticators per Admin user account. For this option, keep Use system value checked for Force providers and enable/configure supported authenticator providers.

We recommend only enabling one authenticator per account. If you require multiple authenticators, the user must authenticate with each one. For example, if you select Google and U2F, the user must access with a Google Authenticator code and connect a U2F device.

  1. On the Admin sidebar, click Stores.

  2. Under Settings, choose All Users.

  3. Do one of the following:

    • Select and edit a user from the list.
    • Add a new user account.
  4. In the sidebar under 2FA section, mark the checkbox of the authenticator that you want to require for the user account. The list includes all enabled and configured authenticator providers.

  5. When complete, click Save User.

    Enable 2FA for User

Force global authenticator for all accounts:

This option requires all Admin users to configure and use all forced authenticators to access the Magento Admin. We recommend that you assign one authenticator to be forced.

  1. On the Admin sidebar, click Stores.

  2. Under Settings, choose Configuration.

  3. In the panel on the left under Security, choose 2FA. Then, do the following:

    • In the General section, clear the Use system value checkbox for Force providers.

    • Select one or more authenticators.

  4. When complete, click Save Config.

    Force providers for all user accounts