Using Two-Factor Authentication with Magento & Adobe Commerce

Using Two-Factor Authentication (2FA) with Magento is necessary for security because it adds an extra layer of protection to the authentication process. 

For regular admin access to Magento, users are required to enter a username and password to access their account. However, this method can be vulnerable to brute force attacks or password guessing, especially if users are not using strong and unique passwords. 

Typically Google’s reCAPTCHA can be enabled and the login URL can be changed from /admin on the admin login page, which provides some protection but 2FA provides a significant improvement to your site’s security. 

Why do you need to enable Two-Factor authentication?

2FA adds a second layer of authentication by requiring users to provide an additional piece of information to verify their identity. Typically, this second factor is something that the user has, such as a mobile device, token, or security key. 

By requiring this additional piece of information, even if an attacker manages to obtain the user's password, they would still need access to the second factor to gain access to the account.

How 2FA can protect your Magento website

In the case of Magento (either Open Source or Adobe Commerce versions), 2FA can help protect sensitive customer and payment data, which is critical for any eCommerce platform. 

By using 2FA, Magento store owners and administrators can add an extra layer of security to their accounts, making it more difficult for attackers to gain access to sensitive information. 

This can help protect against attacks such as phishing, brute force attacks, and password guessing, which are common methods used by attackers to gain unauthorised access to accounts.

Using Google Authentication to protect your Magento website

One popular and widely used option for implementing 2FA in Magento is Google Authentication. 

It is a free service provided by Google, and it works by using a mobile app, such as Google Authenticator or Authy, to generate a one-time code that is used in combination with the user's password to authenticate the user. 

Once enabled, the user would be prompted to enter a one-time code from the app in addition to their username and password when logging in to their Magento account. This helps ensure that only authorised users with access to the linked mobile device can access the account, making it more secure.

How to enable Two-Factor Authentication on your Magento website

Here’s how 2 Factor Authentication can be enabled on Magento Open Source and Adobe Commerce:

1. Check that the Two-Factor Authentication module is enabled in your Magento store. If you haven't already done so it’s likely been disabled. Your Magento development agency or internal team should re-enable it for you. 
2. Log in to your Magento admin panel and navigate to your user account settings by clicking on "Account Settings" in the top right-hand corner of the screen.
3. Click on the "Security" tab and then click on the "2FA" tab.
4. Under the "Two-Factor Authentication" tab, select "Google Authenticator" as your 2FA provider.
5. Download and install the Google Authenticator or Authy app on your mobile device if you haven't already done so.
6. Open the app on your mobile device and scan the QR code displayed on the Magento admin panel.
7. Once you've linked your account to the app, a verification code will be generated in the app. Enter this code in the "Verification Code" field on the Magento admin panel.
8. Click "Save" to enable Two-Factor Authentication with Google Authentication.
9. The next time you log in to your Magento account, you will be prompted to enter a verification code from your Google Authenticator app after entering your username and password.

Disabling Two-Factor Authentication

There are a number of legitimate reasons why a business might not want to have 2FA enabled.  For example,  if it causes issues with integrations (we’ve seen this with some of our clients and their bespoke ERPs) or internal teams may not have access to a “work” mobile phone to use  the Google Authenticator App. 

To disable the module:

1. In your Magento admin, go to  Stores > Configuration > Security > 2FA
2. Select the “General” tab and set “Enable 2FA” to “No” which will disable 2FA on your admin screen.

Looking for Magento security advice?

If you have any questions regarding your Magento website and your platform security, do get in contact with us and we will be happy to answer any questions you may have.