Two-factor authentication (2FA)
The Commerce Admin for your Adobe Commerce or Magento Open Source installation provides access to your store, orders, and customer data. To prevent unauthorized access to your data, all users who attempt to sign in to the Admin must complete an authentication process to verify their identity.
Two-factor authentication is widely used, and it is common to generate access codes for different websites on the same app. This additional authentication ensures that only you are able to log in to your user account. If you lose your password or a bot guesses it, two-factor authentication adds a layer of protection. For example, you might use Google Authenticator to generate codes for the Admin of your store, your Commerce account, and Google account.
Adobe Commerce supports 2FA methods from multiple providers. Some require the installation of an app that generates a one-time password (OTP) that users enter at sign-in to verify their identity. Universal second factor (U2F) devices resemble a key fob and generate a unique key to verify identity. Other devices verify identity when they are inserted into a USB port. As the store administrator, you can require one or more of the available 2FA methods to verify user identity. Your 2FA configuration applies to all websites and stores that are associated with the Adobe Commerce installation.
The first time a user signs in to the Admin, they must set up each 2FA method that you require, and verify their identity using the associated app or device. After this initial setup, the user must authenticate with one of the configured methods each time they sign in. Each user’s 2FA information is recorded in their Admin account and can be reset if necessary. To learn more about the sign-in process, go to Admin Sign In.
You can watch this video demo for an overview of two-factor authentication in the Admin.
Configure your required 2FA providers
-
On the Admin sidebar, go to Stores > Settings > Configuration.
-
In the left panel, expand Security and choose 2FA.
-
In the General section, select the providers to use.
table 0-row-2 1-row-2 2-row-2 3-row-2 4-row-2 Provider Function Google Authenticator Generates a one-time password in the application for user authentication. Duo Security Provides SMS and push notification. Authy Generates a time-dependent six-digit code and delivers SMS or Voice Call 2FA protection or token. U2F Devices (Yubikey and others) Uses a physical device to authenticate, such as YubiKey. To select multiple methods, hold down the Ctrl key (PC) or the Command key (Mac) and click each item.
-
Complete the settings for each required 2FA method.
{width="600" modal="regular"}
-
When complete, click Save Config.
The first time users sign in to the Admin, they must set up each required 2FA method. After this initial setup, they must authenticate with one of the configured methods each time they sign in.
2FA Provider Settings
Complete the settings for each 2FA method that you require.
To change how long the one-time password (OTP) is available during sign-in, clear the Use system value checkbox. Then, enter the number of seconds that you want the OTP Window to be valid.
29
.In version 2.4.6, the OTP window setting determines the number of past and future OTP codes that remain valid. A value of
1
indicates that the current OTP code plus one code in the past and one code in the future remain valid at any given point in time.Duo Security
Enter the following credentials from your Duo Security account:
- Integration key
- Secret key
- API hostname
Authy
-
Enter the API key from your Authy account.
-
To change the default message that appears during authentication, clear the Use system value checkbox. Then, enter the OneTouch Message that you want to appear.
{width="600" modal="regular"}
U2F Devices (Yubikey and others)
The store domain is used by default during the authentication process. To use a custom domain for authentication challenges, clear the Use system value checkbox. Then, enter the WebAPi Challenge Domain.