Security > 2FA

NOTE
Stores that have enabled Adobe Identity Management Services (IMS) authentication have native Adobe Commerce and Magento Open Source two-factor authentication (2FA) disabled. Admin users who are logged into their Adobe Commerce instance with their Adobe credentials do not need to reauthenticate for many Admin tasks. Authentication is handled by Adobe IMS when the Admin user logs into their current session. See Integrating Adobe Commerce with Adobe IMS overview.

To access the store configuration settings, choose Stores > Settings > Configuration from the Admin sidebar.

For more information about changing these settings, see Two-factor authentication (2FA) in the Admin Systems Guide.

General

General

Field
Scope
Description
Providers to use
Global
Indicates the two-factor authentication methods that you require. If you select more than one provider, each user is required to configure each 2FA method the next time they log in.
Configuration Email URL for Web API
Global
For custom implementations, the URL for an alternate email configuration link that is sent to Admin users at first login. In the email template, use the placeholder :tfat to indicate where the token is injected.
Retry attempt limit for Two-Factor Authentication
Global
Determines how many times an administrator can enter a one-time password (OTP) before their account is temporarily disabled. Default: 10
Two-Factor Authentication lockout time (seconds)
Global
Determines how long (in seconds) that an administrator can wait to enter a one-time password (OTP) before their account is temporarily disabled. Default: 300

Google

Google

Field
Scope
Description
OTP Window
Global
Determines how long (in seconds) that the system accepts an administrator’s one-time-password (OTP) after it has expired. Cannot be higher than the lifetime of a single OTP (usually 30 seconds). Default: 29

Duo Security

Duo Security

Field
Scope
Description
Integration Key
Global
The integration key from your Duo Security account.
Secret Key
Global
The secret key from your Duo Security account.
API Hostname
Global
The API hostname from your Duo Security account.

Authy

Authy

Field
Scope
Description
API Key
Global
The API key from your Authy account.
OneTouch Message
Global
The message that appears in the Authy authenticator at login. Default: Login request to your Magento Admin

U2F Key

U2F Key

Field
Scope
Description
WebApi Challenge Domain
Global
The domain that is used to issue and process WebAuthn challenges for custom WebAPI implementations.
recommendation-more-help
d39aca6f-58a0-41c6-83eb-39fd0ef30672