Security Scan Tool returns “Can’t determine if your server uses 2FA”

Check whether the Magento_TwoFactorAuth module has been disabled. To pass the check, in general, it should be enabled.

Description description

Environment

Adobe Commerce, all versions and all implementations (including Magento Open Source)

Issue

The Security Scan Tool reports that it, “Can’t determine if your server uses 2FA”.

Resolution resolution

While checking for frontend 2FA, the Security Scan Tool expects for one of the endpoints below to respond with the HTTP 200, 401, or 403 response code:

'rest/default/V1/tfa/provider/authy/activate',
'rest/default/V1/tfa/provider/duo_security/activate',
'rest/default/V1/tfa/provider/google/activate',
'rest/default/V1/tfa/provider/u2fkey/activate',
'rest/default/V1/tfa/forced-providers',
'rest/default/V1/msp-2fa/installed-providers',
'rest/default/V1/msp-2fa/forced-providers',
'rest/V1/tfa/provider/authy/activate',
'rest/V1/tfa/provider/duo_security/activate',
'rest/V1/tfa/provider/google/activate',
'rest/V1/tfa/provider/u2fkey/activate',
'rest/V1/tfa/forced-providers',
'rest/V1/msp-2fa/installed-providers',
'rest/V1/msp-2fa/forced-providers',
'rest/all/schema?services=twoFactorAuthAdminTokenServiceV1'

In general, Magento_TwoFactorAuth should be enabled, but:

If you have a third-party 2FA module enabled, please contact the Security Scan Tool Team (securityscan@magento.com).

Cause

The Magento_TwoFactorAuth module (or a different 2FA module) has been disabled, and the endpoints associated with the module can’t be reached by the Security Scan Tool.

Related Reading

Adobe Commerce Security Scan tool troubleshooting guide in the Adobe Commerce knowledge base