Two-Factor Authentication

The Commerce Admin for your Adobe Commerce or Magento Open Source installation provides access to your store, orders, and customer data. To prevent unauthorized access to your data, all users who attempt to sign in to the Admin must complete an authentication process to verify their identity.

This implementation of two-factor authentication (2FA) applies to the Admin only, and is not available for customer accounts. The two-factor authentication that protects your magento.com account has a separate setup. To learn more, go to Securing Your Account.

Two-factor authentication is widely used, and it is common to generate access codes for different websites on the same app. For example, you might use Google Authenticator to generate codes for the Admin of your store, your magento.com account, Google account, and so on.

Security configuration - 2FA 2FA Codes on Phone

Adobe Commerce supports 2FA methods from multiple providers. Some require the installation of an app that generates a one-time password (OTP) that users enter at sign-in to verify their identity. Universal 2nd Factor (U2F) devices resemble a key fob and generate a unique key to verify identity. Other devices verify identity when they are inserted into a USB port. As the store administrator, you can require one or more of the available 2FA methods to verify user identity. Your 2FA configuration applies to all websites and stores that are associated with the Adobe Commerce installation.

The first time a user signs in to the Admin, they must set up each 2FA method that you require, and verify their identity using the associated app or device. After this initial setup, the user must authenticate with one of the configured methods each time they sign in. Each user’s 2FA information is recorded in their Admin account and can be reset if necessary. To learn more about the sign-in process, go to Admin Sign In.

Configure your required 2FA provider(s)

  1. On the Admin sidebar, go to Stores > Settings > Configuration.

  2. In the left panel, click Security and choose 2FA.

  3. In the General section, select each Provider to use.

    To select multiple methods, hold down the Ctrl key (PC) or the Command key (Mac) and click each item.

  4. Complete the settings for each required 2FA method.

    Security configuration - 2FA Providers to use

  5. When complete, click Save Config.

    The first time users sign in to the Admin, they must set up each required 2FA method. After this initial setup, they must authenticate with one of the configured methods each time they sign in.

2FA Provider Settings

Complete the settings for each 2FA method that you require.

Google

To change how long the one-time password (OTP) is available during sign in, clear the Use system value checkbox. Then, enter the number of seconds that you want the OTP Window to be valid.

Security configuration - Google Google

Duo Security

Enter the following credentials from your Duo Security account:

  • Integration key
  • Secret key
  • API hostname

Security configuration - Duo Duo Security

Authy

  1. Enter the API key from your Authy account.

  2. To change the default message that appears during authentication, clear the Use system value checkbox. Then, enter the OneTouch Message that you want to appear.

    Security configuration - Authy Authy

U2F Devices (Yubikey and others)

The store domain is used by default during the authentication process. To use a custom domain for authentication challenges, clear the Use system value checkbox. Then, enter the WebAPi Challenge Domain.

Security configuration - U2F Devices U2F Devices