The Magento Admin is protected by multiple layers of security measures to prevent unauthorized access to your store, order, and customer data. The first time you sign in to the Admin, you are required to enter your username and password and to set up two-factor authentication (2FA).
Depending on the configuration of your store, you might also be required to resolve a CAPTCHA challenge such as entering a series of keyboard characters, solving a puzzle, or clicking a series of images with a common theme. These tests are designed to identify you has human, rather than an automated bot.
For additional security, you can determine which parts of the Admin each user has permission to access, and also limit the number of login attempts. By default, after six attempts the account is locked, and the user must wait a few minutes before trying again. Locked accounts can also be reset from the Admin.
The first time you sign in to the Admin, you are given the opportunity to Allow admin usage data collection. See Store Admin for more information.
Admin Sign In
Step 1: Set up two-factor authentication
Before you can sign in to the Admin of your store, you must have a two-factor authentication solution set up and ready to use. To learn more about the authentication process used by each solution, see Using Two-Factor Authentication. By default, Magento supports Google Authenticator.
Ask your Magento system administrator which 2FA solutions are supported for the store. Then, complete the setup of your preferred 2FA solution according to the provider’s instructions.
Step 2: Sign in to the Admin
Enter the Admin URL that was specified during the Magento installation.
The default Admin URL looks something like
Although we use
adminas the base URL in most examples, we recommend that you choose a unique and hard-to-guess custom URL for the Admin of your store.
You can bookmark the page or save a shortcut on your desktop for easy access.
Enter your Admin Username and Password.
Click Sign in.
If this is the first time you have signed in to the Admin from this account, you will receive an email with a link to configuration instructions.
Step 3: Complete the 2FA configuration
The following example shows how to pair your Admin account with Google Authenticator.
When the QR code appears, use one of the following methods to capture the code and pair Google Authenticator with your Admin account.
Set Up Google Authenticator
Capture QR Code using a smart phone
On your smart phone, launch Google Authenticator. Tap the plus sign (+) in the upper-right corner of the app. Then at the bottom of the screen, tap Scan Barcode and take a picture of the QR code.
Capture QR Code from browser
If Google Authenticator is installed as an extension in your browser, click the Authenticator icon in the toolbar and capture the page.
Manually enter QR code
Copy the string of text below the QR code. Launch Google Authenticator with either your smart phone or browser, and click the plus sign (+). Then, choose Manual Entry. Under Account, enter the email address that is associated with your Admin account and paste the QR code string into the Key field.
To sign in to the Admin with two-factor authentication, enter the six-digit code generated by Google Authenticator into the Authenicator code field, and click Confirm.
Enter Authenticator Code
Reset your password
Enter the Email Address that is associated with the Admin account.
Click Retrieve Password.
If an account is associated with the email address, an email will be sent to reset your password.
An Admin password must be seven or more characters long and include both letters and numbers. See Configuring Admin Security for information about password options.
Sign out of the Admin
In the upper-right corner, click the Account () icon.
Click Sign Out.
The Sign In page displays a message that you are logged out. We recommend you sign out of the Admin any time you leave your computer unattended.