Secure Your Commerce Account

Two-factor Authentication (TFA or 2FA) is an added layer of security to better protect your Commerce account from unauthorized users who might want to use your account in ways you do not want. TFA requires a second factor (beyond your standard username and password combination) in order to complete the login process. This second factor takes the form of special, temporary verification codes that are continuously generated by a TFA application (on your mobile phone, for example) that is synced to your Commerce account. With TFA enabled, an unauthorized user must have your username and password combination (first factor) and access to the TFA application on your personal device (second factor) in order to log in to your Commerce account. This type of security makes unauthorized access much more difficult and, therefore, more secure.

NOTE

The two-factor authentication that protects the Admin of your store has a separate setup. To learn more, see Two-Factor Authentication.

Before you begin

In order to use TFA, you must have a TFA application installed on your personal device (such as your smartphone, tablet, computer). There are many available, but some popular and free options include:

  • Google Authenticator (iOS, Android™, BlackBerry®)

  • Authy (iOS, Android™)

  • Microsoft® Authenticator (iOS, Android™, Windows Phone)

Enable two-factor authentication

  1. Log in to your Commerce account.

  2. In the left navigation pane, click Account Settings and click Two-factor Authentication underneath.

    Enable TFA

  3. Click Enable to begin the two-factor authentication setup process.

  4. Reenter your Password and click Verify Password to continue.

    Verify password

  5. Open the two-factor authentication application you downloaded and installed on your personal device.

  6. Enter the Setup Code into your two-factor authentication application.

    You can either scan the QR code using the TFA application or manually enter the code into your TFA application. This code syncs your TFA application with your Commerce account and allow your TFA application to generate verification codes that the system accepts.

    NOTE

    Verification Codes are constantly expiring and regenerated by your TFA application for security purposes, so always use the one that is currently displayed.

  7. With your two-factor authentication application now synced to your Commerce account, enter the Verification Code displayed in your two-factor authentication application and click Verify Code to continue.

    Setup 2FA app

  8. Save the Recovery Codes presented in a safe and accessible place.

    If you cannot provide a Verification Code to log into your Commerce account, using a Recovery Code is the only way to regain access to your Commerce account.

    Each Recovery Code is one-time use only, so do not try to reuse a Recovery Code you have already used previously (but you can always generate more—see the following for details). Recovery Codes are case-sensitive.

  9. Select the confirmation checkbox and click Submit to continue.

    Store recovery codes

  10. To help ensure that you can recover access to your account, enter a Recovery Email.

    This email address is needed if you cannot generate a Verification Code from your two-factor authentication application and you do not have access to an unused pre-generated Recovery Code.

    Once every 24 hours, you are able to generate and send a temporary Recovery Code to your designated Recovery email address that you can use to regain access to your account.

    IMPORTANT

    It is imperative that you maintain access to the email account of your Recovery Email; otherwise, you cannot access any temporary Recovery Codes sent to that account.

    Set recovery email

  11. Select the confirmation checkbox and click Submit to complete the two-factor authentication setup process.

    • An email notification is sent to the email address associated with your Commerce account to confirm that you have successfully enabled two-factor authentication.

    • An email notification is sent to the Recovery Email that you designated to confirm that particular email address is on file as your Recovery Email for receiving a temporary Recovery Code.

Log in using a verification code

  1. Go to the Commerce account login.

  2. Enter your username and password combination, and then click Login to log into My Account.

  3. Enter the Verification Code displayed in your two-factor authentication application when prompted.

    Enter verification code

  4. Click Submit to complete the login process.

Log in using a recovery code

  1. Go to the Commerce account login.

  2. Enter your username and password combination, and then click Login to log into My Account.

  3. Click Use recovery code to bypass the verification code prompt.

  4. Enter an unused Recovery Code when prompted.

    Enter recovery code

  5. Click Submit to complete the login process.

Log in using your recovery email

  1. Log in to your Commerce account.

  2. Enter your username and password combination, and then click Login to log into My Account.

  3. Click Use recovery code to bypass the verification code prompt.

    Use recovery code

  4. To have a temporary Recovery Code sent to the Recovery Email address on file for your Commerce account, click the recovery email link.

    Use recovery email

  5. Access the email account of your Recovery Email to retrieve the temporary Recovery Code and enter it into the designated fields.

  6. Click Submit to complete the login process.

    • Because the Recovery Email capability is only available once every 24 hours, it is recommended that you generate new Recovery Codes and securely store them to avoid any future issues with accessing your Commerce account.

    • It is also recommended that you change your two-factor authentication application (if you have a device available) in order to generate Verification Codes again and use them to access your Commerce account.

View your recovery codes

  1. Go to the Commerce account login.

  2. Enter your username and password combination, and then click Login to log into My Account.

  3. Complete the login process using one of the two-factor authentication methods described earlier.

  4. In the left navigation pane, click Account Settings and click Two-factor Authentication underneath.

    2FA settings

  5. To view your pre-generated Recovery Codes, click View Recovery Codes.

  6. Reenter your Password and click Verify Password to continue.

    Verify password

  7. Save the Recovery Codes presented in a safe and accessible place.

    If you cannot provide a Verification Code to log into your Commerce account, using a Recovery Code is the only way to regain access to your Commerce account.

    Each Recovery Code is one-time use only, so do not try to reuse a Recovery Code you have already used previously (but you can always generate more—see the following for details). Recovery Codes are case-sensitive.

    View recovery codes

  8. Select the confirmation checkbox and click Submit to close the dialog.

Generate new recovery codes

  1. Go to the Commerce account login.

  2. Enter your username and password combination, and then click Login to log into My Account.

  3. Complete the login process using one of the two-factor authentication methods described earlier.

  4. In the left navigation pane, click Account Settings and click Two-factor Authentication underneath.

    TFA settings

  5. To generate new pre-generated Recovery Codes, click Generate New Recovery Codes.

  6. Reenter your Password and click Verify Password to continue.

    Verify password

  7. Save the Recovery Codes presented in a safe and accessible place.

    If you cannot provide a Verification Code to log into your Commerce account, using a Recovery Code is the only way to regain access to your Commerce account.

    All previously generated Recovery Codes are now rendered invalid and should be discarded (only the current set of generated Recovery Codes are functional). Recovery Codes are case-sensitive.

    Generate recovery codes

  8. Select the confirmation checkbox and click Submit to close the dialog.

Change your recovery email

  1. Go to the Commerce account login.

  2. Enter your username and password combination, and then click Login to log into My Account.

  3. Complete the login process using one of the two-factor authentication methods described earlier.

  4. In the left navigation pane, click Account Settings and click Two-factor Authentication underneath.

    TFA settings

  5. Click Change Recovery Email to change the Recovery Email on file for your account.

  6. Reenter your Password and click Verify Password to continue.

    Verify password

  7. To help ensure that you can recover access to your account, enter a Recovery Email.

    This email address is needed if you cannot generate a Verification Code from your two-factor authentication application and you do not have access to an unused pre-generated Recovery Code.

    Once every 24 hours, you can generate and send a temporary Recovery Code to your designated Recovery email address that you can use to regain access to your account.

    IMPORTANT

    It is imperative that you maintain access to the email account of your Recovery Email; otherwise, you cannot access any temporary Recovery Codes sent to that account.

    Set recovery email

  8. Select the confirmation checkbox and click Submit to close the dialog.

    The system sends an email notification to the Recovery Email that you designated to confirm that particular email address is on file as your Recovery Email for receiving temporary Recovery Codes.

Change your two-factor authentication application

  1. Go to the Commerce account login.

  2. Enter your username and password combination, and then click Login to log into My Account.

  3. Complete the login process using one of the two-factor authentication methods described earlier.

  4. In the left navigation pane, click Account Settings and click Two-factor Authentication underneath.

    TFA settings

  5. Click Change TFA Application to use a different TFA application with your magento.com account.

  6. Reenter your Password and click Verify Password to continue.

    Verify password

  7. Open the two-factor authentication application you downloaded and installed on your personal device.

  8. Enter the Setup Code into your two-factor authentication application.

    You can either scan the QR code using the two-factor authentication application or manually enter the code into your two-factor authentication application. This code syncs your two-factor authentication application with your Commerce account and allow your two-factor authentication application to generate verification codes that the system accepts.

    NOTE

    Verification Codes are constantly expiring and regenerated by your two-factor authentication application for security purposes, so always use the one that is currently displayed.

  9. With your TFA application now synced to your Commerce account, enter the Verification Code displayed in your TFA application and click Verify Code to continue.

    Setup TFA app

  10. Save the Recovery Codes presented in a safe and accessible place.

    If you cannot provide a Verification Code to log into your Commerce account, using a Recovery Code is the only way to regain access to your Commerce account.

    Each Recovery Code is one-time use only, so do not try to reuse a Recovery Code you have already used previously (but you can always generate more—see the previous for details). Recovery Codes are case-sensitive.

  11. Select the checkbox to confirm and click Submit to continue.

    Store recovery codes

  12. To help ensure that you can recover access to your account, enter a Recovery Email.

    This email address is needed if you cannot generate a Verification Code from your two-factor authentication application and you do not have access to an unused pre-generated Recovery Code.

    Once every 24 hours, you can generate and send a temporary Recovery Code to your designated Recovery email address that you can use to regain access to your account.

    IMPORTANT

    It is imperative that you maintain access to the email account of your Recovery Email; otherwise, you cannot access any temporary Recovery Codes sent to that account.

    Set recovery email

  13. Select the confirmation checkbox and click Submit to complete the two-factor authentication setup process.

    An email notification is sent to the Recovery Email that you designated to confirm that particular email address is on file as your Recovery Email for receiving a temporary Recovery Code.

Disable two-factor authentication

  1. Go to the Commerce account login.

  2. Enter your username and password combination, and then click Login to log into My Account.

  3. Complete the login process using one of the two-factor authentication methods described earlier.

  4. In the left navigation pane, click Account Settings and click Two-factor Authentication underneath.

    TFA settings

  5. Click Disable to begin the TFA deactivation process.

  6. Reenter your password and click Verify Password to continue.

    Verify password

  7. Select the confirmation checkbox and click Submit to complete the deactivation for two-factor authentication.

    The system sends an email confirmation indicating that TFA has been disabled on your Commerce account.

    Disable TFA

On this page