Two-factor authentication (2FA)

The Commerce Admin for your Adobe Commerce or Magento Open Source installation provides access to your store, orders, and customer data. To prevent unauthorized access to your data, all users who attempt to sign in to the Admin must complete an authentication process to verify their identity.

This implementation of two-factor authentication (2FA) applies to the Admin only, and is not available for customer accounts. The two-factor authentication that protects your Commerce account has a separate setup. To learn more, go to Secure your Commerce account.

Two-factor authentication is widely used, and it is common to generate access codes for different websites on the same app. This additional authentication ensures that only you are able to log in to your user account. If you lose your password or a bot guesses it, two-factor authentication adds a layer of protection. For example, you might use Google Authenticator to generate codes for the Admin of your store, your Commerce account, and Google account.

Security configuration iphone - 2FA

Adobe Commerce supports 2FA methods from multiple providers. Some require the installation of an app that generates a one-time password (OTP) that users enter at sign-in to verify their identity. Universal second factor (U2F) devices resemble a key fob and generate a unique key to verify identity. Other devices verify identity when they are inserted into a USB port. As the store administrator, you can require one or more of the available 2FA methods to verify user identity. Your 2FA configuration applies to all websites and stores that are associated with the Adobe Commerce installation.

The first time a user signs in to the Admin, they must set up each 2FA method that you require, and verify their identity using the associated app or device. After this initial setup, the user must authenticate with one of the configured methods each time they sign in. Each user’s 2FA information is recorded in their Admin account and can be reset if necessary. To learn more about the sign-in process, go to Admin Sign In.

Stores that have enabled Adobe Identity Management Services (IMS) authentication have native Adobe Commerce and Magento Open Source 2FA disabled. Admin users who are logged into their Commerce instance with their Adobe credentials do not need to reauthenticate for many Admin tasks. Authentication is handled by Adobe IMS when the Admin user logs into their current session. See Adobe Identity Management Service (IMS) Integration Overview.

You can watch this video demo for an overview of two-factor authentication in the Admin.

Configure your required 2FA providers

  1. On the Admin sidebar, go to Stores > Settings > Configuration.

  2. In the left panel, expand Security and choose 2FA.

  3. In the General section, select the providers to use.

    table 0-row-2 1-row-2 2-row-2 3-row-2 4-row-2
    Provider Function
    Google Authenticator Generates a one-time password in the application for user authentication.
    Duo Security Provides SMS and push notification.
    Authy Generates a time-dependent six-digit code and delivers SMS or Voice Call 2FA protection or token.
    U2F Devices (Yubikey and others) Uses a physical device to authenticate, such as YubiKey.

    To select multiple methods, hold down the Ctrl key (PC) or the Command key (Mac) and click each item.

  4. Complete the settings for each required 2FA method.

    Security configuration - 2FA {width="600" modal="regular"}

  5. When complete, click Save Config.

    The first time users sign in to the Admin, they must set up each required 2FA method. After this initial setup, they must authenticate with one of the configured methods each time they sign in.

2FA Provider Settings

Complete the settings for each 2FA method that you require.


To change how long the one-time password (OTP) is available during sign-in, clear the Use system value checkbox. Then, enter the number of seconds that you want the OTP Window to be valid.

Security configuration - Google

In Adobe Commerce 2.4.7 and later, the OTP window configuration setting controls how long (in seconds) the system accepts an administrator’s one-time-password (OTP) after it has expired. This value must be less than 30 seconds. The system default setting is 29.

In version 2.4.6, the OTP window setting determines the number of past and future OTP codes that remain valid. A value of 1 indicates that the current OTP code plus one code in the past and one code in the future remain valid at any given point in time.

Duo Security

Enter the following credentials from your Duo Security account:

  • Integration key
  • Secret key
  • API hostname

Security configuration - Duo


  1. Enter the API key from your Authy account.

  2. To change the default message that appears during authentication, clear the Use system value checkbox. Then, enter the OneTouch Message that you want to appear.

    Security configuration - Authy {width="600" modal="regular"}

U2F Devices (Yubikey and others)

The store domain is used by default during the authentication process. To use a custom domain for authentication challenges, clear the Use system value checkbox. Then, enter the WebAPi Challenge Domain.

Security configuration - U2F Devices