Two-Factor Authentication

The Magento Admin provides all access to your store, orders, and customer data. To prevent unauthorized access to your data, all users who attempt to sign in to the Admin of your Magento installation must complete a second step to verify their identity. This implementation of two-factor authentication applies to the Admin only, and is not available for customer accounts.

The two-factor authentication that protects your Magento account has a separate setup. To learn more, see Securing Your Account.

Two-factor authentication is widely used, and you might have several access codes for different websites. For example, the Google Authenticator app on your phone might generate codes for the Admin of your store, your Magento account, your Google account, and so on.

Security configuration - 2FA 2FA Codes on Phone

Magento two-factor authentication supports solutions from multiple providers. Some solutions require that you install an app that generates a one-time password (OTP) that is entered at login to verify your identity. Universal 2nd Factor (UTF) devices resemble a key fob and generate a unique key that is similarly used to verify your identity. Other devices verify your identify when they are inserted into a USB port. As the store administrator, you can support one or more of the available 2FA providers. The solutions that you support are available for all websites and stores that are associated with the Magento installation.

The next time users sign in to the Admin, they must configure one of the supported 2FA solutions and verify their identity using the associated app or device. Although multiple solutions can be supported and configured, only one is required to sign in. The user’s preferred 2FA solution(s) are recorded in their Admin account, and can be reset if necessary. To learn more about the sign-in process, see Admin Sign In.

Configure the supported 2FA provider(s)

  1. On the Admin sidebar, go to Stores > Settings > Configuration.

  2. In the left panel, click Security and choose 2FA.

  3. In the General section, select each Provider to use.

    To select multiple providers, hold down the Ctrl key (PC) or the Command key (Mac) and click each item.

    Security configuration - 2FA Providers to use

  4. When complete, click Save Config.

The next time each user signs in to the Admin, they will be required to configure their 2FA solution and then use it for authentication.

Google

To change how long the one-time password (OTP) is available during sign in, clear the Use system value checkbox. Then, enter the number of seconds that you want the OTP Window to be valid.

Security configuration - Google Google

Duo Security

Enter the following credentials from your Duo Security account:

  • Integration key
  • Secret key
  • API hostname

Security configuration - Duo Duo Security

Authy

  1. Enter the API key from your Authy account.

  2. To change the default message that appears during authentication, clear the Use system value checkbox. Then, enter the OneTouch Message that you want to appear.

    Security configuration - Authy Authy

U2F Devices (Yubikey and others)

The store domain is used by default during the authentication process. To use a custom domain to issue and process WebAuthn challenges with WebApi, clear the Use system value checkbox. Then, enter the WebAPi Challenge Domain.

Security configuration - U2F Devices U2F Devices