Secure Your Commerce Account

Two-factor Authentication (TFA or 2FA) is an added layer of security to better protect your Commerce account from unauthorized access. To complete the login process, TFA requires a second factor in addition to the standard username and password credentials. This second factor takes the form of temporary verification codes that are continuously generated by a TFA application installed on your mobile device and paired with your Commerce account.

With TFA enabled, your account is more secure. An unauthorized user cannot log in unless they have both your username and password credentials (first factor) and a valid verification code from the TFA application on your personal device (second factor).

NOTE

The two-factor authentication that protects the Admin of your store has a separate setup. To learn more, see Two-Factor Authentication.

Before you begin

To use TFA, you must have a TFA application installed on your personal device (such as your smartphone, tablet, computer). There are many available, but some popular and free options include:

  • Google Authenticator (iOS, Android™, BlackBerry®)

  • Authy (iOS, Android™)

  • Microsoft® Authenticator (iOS, Android™, Windows Phone)

Enable two-factor authentication

  1. Log in to your Commerce account.

  2. In the left navigation pane, select Account Settings, and then select Two-factor Authentication.

    Enable TFA

  3. Select Enable to begin the two-factor authentication setup process.

  4. Enter the Verification Code sent to your email and select Verify Code to continue.

    Enter the verification code

  5. Open the two-factor authentication application you downloaded and installed on your personal device.

  6. On the SETUP TWO-FACTOR AUTHENTICATION form, use the Setup Code to add Adobe Commerce to your TFA application.

    Add Adobe Commerce to TFA app

    You can add the code by scanning the QR code using the TFA application, or by manually entering it. This code pairs your TFA application with your Commerce account and enables the permissions to generate the TFA app to generate verification codes for secure account access.

  7. Complete the setup.

    • On the SETUP TWO FACTOR-AUTHENTICATION form, enter the verification code from your two-factor authentication application.

    • Select Verify Code.

    NOTE

    For security, the verification codes in your TFA application continuously expire and regenerate. Always use the code that is currently displayed.

  8. Save the Recovery Codes presented in a safe and accessible place.

    Store recovery codes

    If you cannot provide a verification code when you log in to your Commerce account, you must use a recovery code to regain account access.

    Each recovery code can be used only one time, but you can generate new ones. Recovery codes are case-sensitive.

  9. Select the confirmation checkbox and select Submit to continue.

  10. To ensure that you can recover access to your account, enter a Recovery Email.

    This email address is needed if you cannot generate a verification code from your two-factor authentication application and you do not have access to an unused pre-generated recovery code.

    Once every 24 hours, you can generate and send a temporary recovery code to your designated recovery email address. Use this code to regain account access.

    IMPORTANT

    Maintain access to your recovery email account. Otherwise, you cannot use temporary recovery codes sent to that account.

    Set recovery email

  11. Select the confirmation checkbox and select Submit to complete the two-factor authentication setup process.

    • A notification is sent to the email address associated with your Commerce account to confirm that you have successfully enabled two-factor authentication.

    • A notification is sent to your recovery email account to confirm the configuration.

TIP

If you lose your personal device or get a new one, you can change your two-factor authentication app and generate new recovery codes.

Log in using a verification code

  1. Go to the Commerce account login.

  2. Enter your username and password credentials, and then select Login.

  3. Enter the Verification Code displayed in your two-factor authentication application when prompted.

    Enter verification code

  4. Select Submit to complete the login process.

Log in using a recovery code

  1. Go to the Commerce account login.

  2. Enter your username and password credentials, and then select Login.

  3. Select Use recovery code to bypass the verification code prompt.

  4. Enter an unused Recovery Code when prompted.

    Enter recovery code

  5. Select Submit to complete the login process.

Log in using your recovery email

  1. Log in to your Commerce account.

  2. Enter your username and password credentials, and then select Login.

  3. Select Use recovery code to bypass the verification code prompt.

    Use recovery code

  4. To get a temporary recovery code through email, select the recovery email link.

    Use recovery email

  5. Open your recovery email account to get the temporary code, and then enter the code in the designated fields.

  6. Select Submit to complete the login process.

After using a temporary recovery code to access your account, generate new recovery codes and save them to prevent further account access issues.

View your recovery codes

  1. Go to the Commerce account login.

  2. Enter your username and password credentials, and then select Login.

  3. Complete the login process using one of the two-factor authentication methods described earlier.

  4. In the left navigation pane, select Account Settings, and then select Two-factor Authentication.

    2FA settings

  5. To view your pre-generated recovery codes, select View Recovery Codes.

  6. Enter the Verification Code sent to your email and select Verify Code to continue.

    Enter verification code

  7. Save the Recovery Codes presented in a safe and accessible place.

    If you cannot provide a verification code to log in to your Commerce account, using a recovery code is the only way to regain account access.

    Each recovery code is one-time use only, but you can always generate new ones. Recovery codes are case-sensitive.

    View recovery codes

  8. Select the confirmation checkbox and select Submit to close the dialog.

Generate new recovery codes

  1. Go to the Commerce account login.

  2. Enter your username and password credentials, and then select Login.

  3. Complete the login process using one of the two-factor authentication methods described earlier.

  4. In the left navigation pane, select Account Settings, and then select Two-factor Authentication.

    TFA settings

  5. To generate new pre-generated Recovery Codes, select Generate New Recovery Codes.

  6. Enter the Verification Code sent to your email and select Verify Code to continue.

    Enter verification code

  7. Save the Recovery Codes presented in a safe and accessible place.

    If you cannot provide a verification code when you log in to your Commerce account, using a recovery code is the only way to regain account access.

    All previously generated recovery codes are now rendered invalid and should be discarded (only the current set of generated recovery codes are functional). Recovery codes are case-sensitive.

    Generate recovery codes

  8. Select the confirmation checkbox and select Submit to close the dialog.

Change your recovery email

  1. Go to the Commerce account login.

  2. Enter your username and password credentials, and then select Login.

  3. Complete the login process using one of the two-factor authentication methods described earlier.

  4. In the left navigation pane, select Account Settings, and then select Two-factor Authentication.

    TFA settings

  5. Select Change Recovery Email to change the recovery email on file for your account.

  6. Enter the Verification Code sent to your email and select Verify Code to continue.

    Enter verification code

  7. To help ensure that you can recover access to your account, enter a Recovery Email.

    This email address is needed if you cannot generate a verification code from your two-factor authentication application and you do not have access to an unused pre-generated recovery code.

    Once every 24 hours, you can generate and send a temporary recovery code to your designated recovery email address. You can use this code to regain account access.

    IMPORTANT

    Maintain access to your recovery email account. Otherwise, you cannot use temporary recovery codes sent to that account.

    Set recovery email

  8. Select the confirmation checkbox and select Submit to close the dialog.

    The system sends an email notification to the recovery email that you designated to confirm that particular email address is on file as your recovery email for receiving temporary recovery codes.

Change your two-factor authentication application

  1. Go to the Commerce account login.

  2. Enter your username and password credentials, and then select Login.

  3. Complete the login process using one of the two-factor authentication methods described earlier.

  4. In the left navigation pane, select Account Settings, and then select Two-factor Authentication.

    TFA settings

  5. Select Change TFA Application to use a different TFA application with your magento.com account.

  6. Enter the Verification Code sent to your email and select Verify Code to continue.

    Enter verification code

  7. Open the two-factor authentication application on your personal device.

  8. Enter the Setup Code into your two-factor authentication application.

    You can add the code by scanning the QR code using the TFA application, or manually entering it. This code pairs your TFA application with your Commerce account and enables the permissions for the TFA app to generate verification codes for secure account access.

    NOTE

    For security, the verification codes in your TFA application continuously expire and regenerate. Always use the code that is currently displayed.

  9. With your TFA application now paired with your Commerce account, enter the Verification Code displayed in your TFA application and select Verify Code to continue.

    Setup TFA app

  10. Save the Recovery Codes presented in a safe and accessible place.

    If you cannot provide a verification code when you log in to your Commerce account, the only way to regain account access is to use a recovery code.

    Each recovery code is one-time use only, but you can always generate new ones. Recovery codes are case-sensitive. Recovery codes are case-sensitive.

  11. Select the checkbox to confirm and select Submit to continue.

    Store recovery codes

  12. To help ensure that you can recover access to your account, enter a Recovery Email.

    This email address is needed if you cannot generate a verification code from your two-factor authentication application and you do not have access to an unused pre-generated recovery code.

    Once every 24 hours, you can generate and send a temporary recovery code to your designated recovery email address. Use this code to regain account access.

    IMPORTANT

    Maintain access to your recovery email account. Otherwise, you cannot use temporary recovery codes sent to that account.

    Set recovery email

  13. Select the confirmation checkbox and select Submit to complete the two-factor authentication setup process.

    An email notification is sent to the recovery email that you designated to confirm that particular email address is on file as your recovery email for receiving a temporary recovery code.

Disable two-factor authentication

IMPORTANT

If your organizational security policy requires multi-factor authentication on Adobe Commerce accounts, you cannot disable two-factor authentication.

  1. Go to the Commerce account login.

  2. Enter your username and password credentials, and then select Login.

  3. Complete the login process using one of the two-factor authentication methods described earlier.

  4. In the left navigation pane, select Account Settings and select Two-factor Authentication underneath.

    TFA settings

  5. Select Disable to begin the TFA deactivation process.

  6. Enter the Verification Code sent to your email and select Verify Code to continue.

    Enter verification code

  7. Select the confirmation checkbox and select Submit to complete the deactivation for two-factor authentication.

    The system sends an email confirmation indicating that TFA has been disabled on your Commerce account.

    Disable TFA

On this page