The Commerce Admin is protected by multiple layers of security measures to prevent unauthorized access to your store, order, and customer data. The first time you sign in to the Admin, you are required to enter your username and password and to set up two-factor authentication (2FA).
Depending on the configuration of your store, you might also be required to resolve a CAPTCHA challenge such as entering a series of keyboard characters, solving a puzzle, or clicking a series of images with a common theme. These tests are designed to identify you has human, rather than an automated bot.
For additional security, you can determine which parts of the Admin each user has permission to access, and also limit the number of login attempts. By default, after six attempts the account is locked, and the user must wait a few minutes before trying again. Locked accounts can also be reset from the Admin.
The first time you sign in to the Admin, you are given the opportunity to Allow admin usage data collection. See Store Admin for more information.
Admin sign in
Step 1: Set up two-factor authentication
Before you can sign in to the Admin of your store, you must have a two-factor authentication solution set up and ready to use. To learn more about the authentication process used by each solution, see Using Two-Factor Authentication. By default, Commerce supports Google Authenticator.
Ask your Commerce system administrator which 2FA solutions are supported for the store. Then, complete the setup of your preferred 2FA solution according to the provider’s instructions.
Step 2: Sign in to the Admin
Enter the Admin URL that was specified during the Commerce installation.
The default Admin URL looks something like
Although we use
adminas the base URL in most examples, we recommend that you choose a unique and hard-to-guess custom URL for the Admin of your store.
You can bookmark the page or save a shortcut on your desktop for easy access.
Enter your Admin Username and Password.
Click Sign in.
If this is the first time you have signed in to the Admin from this account, you will receive an email with a link to configuration instructions.
Step 3: Complete the 2FA configuration
The following example shows how to pair your Admin account with Google Authenticator.
When the QR code appears, use one of the following methods to capture the code and pair Google Authenticator with your Admin account.
Set up Google Authenticator
Capture QR Code using a smart phone
On your smart phone, launch Google Authenticator. Tap the plus sign (+) in the upper-right corner of the app. Then at the bottom of the screen, tap Scan Barcode and take a picture of the QR code.
Capture QR Code from browser
If Google Authenticator is installed as an extension in your browser, click the Authenticator icon in the toolbar and capture the page.
Manually enter QR code
Copy the string of text below the QR code. Launch Google Authenticator with either your smart phone or browser, and click the plus sign (+). Then, choose Manual Entry. Under Account, enter the email address that is associated with your Admin account and paste the QR code string into the Key field.
To sign in to the Admin with two-factor authentication, enter the six-digit code generated by Google Authenticator into the Authenicator code field, and then click Confirm.
Enter the Authenticator code
Reset your password
Reuse of the last four passwords assigned to the account is not allowed.
Enter the Email Address that is associated with the Admin account.
Click Retrieve Password.
If an account is associated with the email address, an email will be sent to reset your password.
An Admin password must be seven or more characters long and include both letters and numbers. See Configuring Admin Security for information about password options.
Sign out of the Admin
In the upper-right corner, click the Account () icon.
Click Sign Out.
The Sign In page displays a message that you are logged out. We recommend you sign out of the Admin any time you leave your computer unattended.
Allow multiple Admin logins
The Admin provides access to manage the orders, customers, products, shipping, and payments functionality. The default configuration is set to disallow multiple logins for an Admin user account as a security best practice. However, you can change this setting to allow Admin users to be logged in from multiple devices if that is needed to accommodate your business workflows.
On the Admin sidebar, go to Stores > Settings > Configuration.
Multiple Admin Login
In the left panel, expand Advanced and choose Admin.
Expand the Security section.
For Admin Account Sharing, select
Click Save Config.