Two-factor Authentication (TFA or 2FA) is an added layer of security to better protect your Commerce account from unauthorized users who might want to use your account in ways you do not want. TFA requires a second factor (beyond your standard username and password combination) in order to complete the login process. This second factor takes the form of special, temporary verification codes that are continuously generated by a TFA application (on your mobile phone, for example) that is synced to your Commerce account. With TFA enabled, an unauthorized user must have your username and password combination (first factor) and access to the TFA application on your personal device (second factor) in order to log in to your Commerce account. This type of security makes unauthorized access much more difficult and, therefore, more secure.
The two-factor authentication that protects the Admin of your store has a separate setup. To learn more, see Two-Factor Authentication.
In order to use TFA, you must have a TFA application installed on your personal device (such as your smartphone, tablet, computer). There are many available, but some popular and free options include:
Google Authenticator (iOS, Android™, BlackBerry®)
Authy (iOS, Android™)
Microsoft® Authenticator (iOS, Android™, Windows Phone)
Log in to your Commerce account.
In the left navigation pane, click Account Settings and click Two-factor Authentication underneath.
Click Enable to begin the two-factor authentication setup process.
Reenter your Password and click Verify Password to continue.
Open the two-factor authentication application you downloaded and installed on your personal device.
Enter the Setup Code into your two-factor authentication application.
You can either scan the QR code using the TFA application or manually enter the code into your TFA application. This code syncs your TFA application with your Commerce account and allow your TFA application to generate verification codes that the system accepts.
Verification Codes are constantly expiring and regenerated by your TFA application for security purposes, so always use the one that is currently displayed.
With your two-factor authentication application now synced to your Commerce account, enter the Verification Code displayed in your two-factor authentication application and click Verify Code to continue.
Save the Recovery Codes presented in a safe and accessible place.
If you cannot provide a Verification Code to log into your Commerce account, using a Recovery Code is the only way to regain access to your Commerce account.
Each Recovery Code is one-time use only, so do not try to reuse a Recovery Code you have already used previously (but you can always generate more—see the following for details). Recovery Codes are case-sensitive.
Select the confirmation checkbox and click Submit to continue.
To help ensure that you can recover access to your account, enter a Recovery Email.
This email address is needed if you cannot generate a Verification Code from your two-factor authentication application and you do not have access to an unused pre-generated Recovery Code.
Once every 24 hours, you are able to generate and send a temporary Recovery Code to your designated Recovery email address that you can use to regain access to your account.
It is imperative that you maintain access to the email account of your Recovery Email; otherwise, you cannot access any temporary Recovery Codes sent to that account.
Select the confirmation checkbox and click Submit to complete the two-factor authentication setup process.
An email notification is sent to the email address associated with your Commerce account to confirm that you have successfully enabled two-factor authentication.
An email notification is sent to the Recovery Email that you designated to confirm that particular email address is on file as your Recovery Email for receiving a temporary Recovery Code.
Go to the Commerce account login.
Enter your username and password combination, and then click Login to log into My Account.
Enter the Verification Code displayed in your two-factor authentication application when prompted.
Click Submit to complete the login process.
Go to the Commerce account login.
Enter your username and password combination, and then click Login to log into My Account.
Click Use recovery code to bypass the verification code prompt.
Enter an unused Recovery Code when prompted.
Click Submit to complete the login process.
Log in to your Commerce account.
Enter your username and password combination, and then click Login to log into My Account.
Click Use recovery code to bypass the verification code prompt.
To have a temporary Recovery Code sent to the Recovery Email address on file for your Commerce account, click the recovery email link.
Access the email account of your Recovery Email to retrieve the temporary Recovery Code and enter it into the designated fields.
Click Submit to complete the login process.
Because the Recovery Email capability is only available once every 24 hours, it is recommended that you generate new Recovery Codes and securely store them to avoid any future issues with accessing your Commerce account.
It is also recommended that you change your two-factor authentication application (if you have a device available) in order to generate Verification Codes again and use them to access your Commerce account.
Go to the Commerce account login.
Enter your username and password combination, and then click Login to log into My Account.
Complete the login process using one of the two-factor authentication methods described earlier.
In the left navigation pane, click Account Settings and click Two-factor Authentication underneath.
To view your pre-generated Recovery Codes, click View Recovery Codes.
Reenter your Password and click Verify Password to continue.
Save the Recovery Codes presented in a safe and accessible place.
If you cannot provide a Verification Code to log into your Commerce account, using a Recovery Code is the only way to regain access to your Commerce account.
Each Recovery Code is one-time use only, so do not try to reuse a Recovery Code you have already used previously (but you can always generate more—see the following for details). Recovery Codes are case-sensitive.
Select the confirmation checkbox and click Submit to close the dialog.
Go to the Commerce account login.
Enter your username and password combination, and then click Login to log into My Account.
Complete the login process using one of the two-factor authentication methods described earlier.
In the left navigation pane, click Account Settings and click Two-factor Authentication underneath.
To generate new pre-generated Recovery Codes, click Generate New Recovery Codes.
Reenter your Password and click Verify Password to continue.
Save the Recovery Codes presented in a safe and accessible place.
If you cannot provide a Verification Code to log into your Commerce account, using a Recovery Code is the only way to regain access to your Commerce account.
All previously generated Recovery Codes are now rendered invalid and should be discarded (only the current set of generated Recovery Codes are functional). Recovery Codes are case-sensitive.
Select the confirmation checkbox and click Submit to close the dialog.
Go to the Commerce account login.
Enter your username and password combination, and then click Login to log into My Account.
Complete the login process using one of the two-factor authentication methods described earlier.
In the left navigation pane, click Account Settings and click Two-factor Authentication underneath.
Click Change Recovery Email to change the Recovery Email on file for your account.
Reenter your Password and click Verify Password to continue.
To help ensure that you can recover access to your account, enter a Recovery Email.
This email address is needed if you cannot generate a Verification Code from your two-factor authentication application and you do not have access to an unused pre-generated Recovery Code.
Once every 24 hours, you can generate and send a temporary Recovery Code to your designated Recovery email address that you can use to regain access to your account.
It is imperative that you maintain access to the email account of your Recovery Email; otherwise, you cannot access any temporary Recovery Codes sent to that account.
Select the confirmation checkbox and click Submit to close the dialog.
The system sends an email notification to the Recovery Email that you designated to confirm that particular email address is on file as your Recovery Email for receiving temporary Recovery Codes.
Go to the Commerce account login.
Enter your username and password combination, and then click Login to log into My Account.
Complete the login process using one of the two-factor authentication methods described earlier.
In the left navigation pane, click Account Settings and click Two-factor Authentication underneath.
Click Change TFA Application to use a different TFA application with your magento.com account.
Reenter your Password and click Verify Password to continue.
Open the two-factor authentication application you downloaded and installed on your personal device.
Enter the Setup Code into your two-factor authentication application.
You can either scan the QR code using the two-factor authentication application or manually enter the code into your two-factor authentication application. This code syncs your two-factor authentication application with your Commerce account and allow your two-factor authentication application to generate verification codes that the system accepts.
Verification Codes are constantly expiring and regenerated by your two-factor authentication application for security purposes, so always use the one that is currently displayed.
With your TFA application now synced to your Commerce account, enter the Verification Code displayed in your TFA application and click Verify Code to continue.
Save the Recovery Codes presented in a safe and accessible place.
If you cannot provide a Verification Code to log into your Commerce account, using a Recovery Code is the only way to regain access to your Commerce account.
Each Recovery Code is one-time use only, so do not try to reuse a Recovery Code you have already used previously (but you can always generate more—see the previous for details). Recovery Codes are case-sensitive.
Select the checkbox to confirm and click Submit to continue.
To help ensure that you can recover access to your account, enter a Recovery Email.
This email address is needed if you cannot generate a Verification Code from your two-factor authentication application and you do not have access to an unused pre-generated Recovery Code.
Once every 24 hours, you can generate and send a temporary Recovery Code to your designated Recovery email address that you can use to regain access to your account.
It is imperative that you maintain access to the email account of your Recovery Email; otherwise, you cannot access any temporary Recovery Codes sent to that account.
Select the confirmation checkbox and click Submit to complete the two-factor authentication setup process.
An email notification is sent to the Recovery Email that you designated to confirm that particular email address is on file as your Recovery Email for receiving a temporary Recovery Code.
Go to the Commerce account login.
Enter your username and password combination, and then click Login to log into My Account.
Complete the login process using one of the two-factor authentication methods described earlier.
In the left navigation pane, click Account Settings and click Two-factor Authentication underneath.
Click Disable to begin the TFA deactivation process.
Reenter your password and click Verify Password to continue.
Select the confirmation checkbox and click Submit to complete the deactivation for two-factor authentication.
The system sends an email confirmation indicating that TFA has been disabled on your Commerce account.