Managing Two-Factor Authentication

If a user has issues accessing the Magento Admin with their authenticator, they can attempt to sync or troubleshoot their authenticator. You can also reset the authenticator associated with the account. When reset, the user must reconnect and add the authenticator again when they next access the Admin.

If you have issues accessing the Magento Admin with the authenticators, consider the following:

  • Some mobile apps include options to sync. This option reconnects the app and server, updating in case time settings changed on the device or server.
  • Revoking a device or resetting an authenticator can help users connect.
  • Clearing web cache and cookies for the Magento instance can also help. Authenticators, like Google, use generated cookies to save access and duration. Clear your cookies for your specific browser and Magento instance domain.
  • If you have blocked cookies for your browser, this will block some authenticators, like Google, from completing verification and access. Add a rule to allow cookies for your Magento instance.

To reset authenticators per account:

Resetting an authenticator also revokes all trusted devices tracked by the Admin.

  1. On the Admin sidebar, click System.

  2. Under Permissions, choose All Users.

  3. Select and edit a user from the list or add a new user account.

  4. Click 2FA.

  5. Click the Reset… option for one or more listed authenticators.

    Reset authenticators on an account

To revoke a trusted device:

Some users may have authenticator access issues after syncing or no longer have access to a device with previous access to the Magento Admin. If you have the option enabled to track trusted devices for an authenticator, every device that accesses the Admin has a saved entry.

These entries detect the device and allow log in access without requiring authentication. The entries include the last IP address, the data and time of access, and a description including the type of system (Mac, PC, tablet, etc) and browser with version.

After revoking a listed device, the user must authenticate again if accessing the Admin from it.

  1. On the Admin sidebar, click System.

  2. Under Permissions, choose All Users.

  3. Do one of the following:

    • Select and edit a user from the list.
    • Add a new user account.
  4. Click 2FA.

  5. In the Trusted devices grid, locate a device to remove from the account. Then, click Revoke.

    If the user accesses the Admin from this device again, they must authenticate regardless of any cookies with active duration.

    _ Revoke a trusted, authenticated device_

Emergency CLI commands

Use the following commands if you lose access to the Admin.

To disable 2FA:

If you have issues with 2FA, you can disable the module from command-line. This disables 2FA globally.

php bin/magento msp:security:tfa:disable

To reset authenticator per account:

If you need to manually reset a single user configuration, enter the following from the command-line. The command restarts configuration and 2FA subscription for the user account.

Reset Authenticator per Account:

php bin/magento msp:security:tfa:reset <username> <provider>

Examples

Reset Google Authenticator:

php bin/magento msp:security:tfa:reset admin google

Reset U2F Device:

php bin/magento msp:security:tfa:reset admin u2fkey

Reset Authy:

php bin/magento msp:security:tfa:reset admin authy

Advanced Emergency Steps

Do not attempt modifying any database information without full understanding of modifications and database management. This is an advanced procedure.

In your database, you can modify the following tables and values to affect and override 2FA. We advise caution when making any changes directly to your database.

core_config_data

msp/twofactorauth/enabled Set to zero to disable 2FA globally.
msp/twofactorauth/force_providers Delete this entry to remove forced providers option.

msp_tfa_user_config

Delete one user row to reset the user’s 2FA preference and configuration.