The Commerce Admin for your Adobe Commerce or Magento Open Source installation provides access to your store, orders, and customer data. To prevent unauthorized access to your data, all users who attempt to sign in to the Admin must complete an authentication process to verify their identity.
This implementation of two-factor authentication (2FA) applies to the Admin only, and is not available for customer accounts. The two-factor authentication that protects your magento.com account has a separate setup. To learn more, go to Securing Your Account.
Two-factor authentication is widely used, and it is common to generate access codes for different websites on the same app. This ensures that only you are able to log in to your user account. If you lose your password or a bot guesses it, two-factor authentication adds a layer of protection. For example, you might use Google Authenticator to generate codes for the Admin of your store, your Commerce account account, Google account, and so on.
2FA Codes on Phone
Adobe Commerce supports 2FA methods from multiple providers. Some require the installation of an app that generates a one-time password (OTP) that users enter at sign-in to verify their identity. Universal 2nd Factor (U2F) devices resemble a key fob and generate a unique key to verify identity. Other devices verify identity when they are inserted into a USB port. As the store administrator, you can require one or more of the available 2FA methods to verify user identity. Your 2FA configuration applies to all websites and stores that are associated with the Adobe Commerce installation.
The first time a user signs in to the Admin, they must set up each 2FA method that you require, and verify their identity using the associated app or device. After this initial setup, the user must authenticate with one of the configured methods each time they sign in. Each user’s 2FA information is recorded in their Admin account and can be reset if necessary. To learn more about the sign-in process, go to Admin Sign In.
Stores that have enabled Adobe Identity Management Services (IMS) authentication have native Adobe Commerce and Magento Open Source 2FA disabled. Admin users who are logged into their Commerce instance with their Adobe credentials do not need to re-authenticate for many Admin tasks. Authentication is handled by Adobe IMS when the Admin user logs into their current session. See Adobe Identity Management Service (IMS) Integration Overview.
You can watch this video demo for an overview of two-factor authentication in the Admin.
Configure your required 2FA provider(s)
On the Admin sidebar, go to Stores > Settings > Configuration.
In the left panel, click Security and choose 2FA.
In the General section, select each Provider to use.
Google Authenticator Generates a one-time password in the application for user authentication. Duo Security Provides SMS and push notification. Authy Generates a time-dependent six-digit code and delivers SMS or Voice Call 2FA protection or token. U2F Devices (Yubikey and others) Uses a physical device to authenticate, such as YubiKey.
To select multiple methods, hold down the Ctrl key (PC) or the Command key (Mac) and click each item.
Complete the settings for each required 2FA method.
Providers to use
When complete, click Save Config.
The first time users sign in to the Admin, they must set up each required 2FA method. After this initial setup, they must authenticate with one of the configured methods each time they sign in.
2FA Provider Settings
Complete the settings for each 2FA method that you require.
To change how long the one-time password (OTP) is available during sign in, clear the Use system value checkbox. Then, enter the number of seconds that you want the OTP Window to be valid.
Enter the following credentials from your Duo Security account:
- Integration key
- Secret key
- API hostname
Enter the API key from your Authy account.
To change the default message that appears during authentication, clear the Use system value checkbox. Then, enter the OneTouch Message that you want to appear.
U2F Devices (Yubikey and others)
The store domain is used by default during the authentication process. To use a custom domain for authentication challenges, clear the Use system value checkbox. Then, enter the WebAPi Challenge Domain.