Two-Factor Authentication. What it givess and how to use it in Magento2

Considering how effectively attackers can get hold of secret access credentials, it's no big surprise that corporate information leaks have become an ordinary thing. What's more, a business can easily complicate the possibility of such leaks by using an additional level of verification, called the second factor. It is by far the ideal answer in shielding sensitive data placed on the internet and protecting it from the dangers of leakage.

Two-Factor Authentication (2FA) proposes a concept of providing expanded data protection by incorporating an extra layer when access to any account is required. This additional step is an extra login validation appended to the common access credentials like username and secret word. With 2FA acquiring an account access and magento extensions expects using the gadget always kept near you.

Enabling this extra access strategy makes it almost impossible for malicious actors to enter the corporate system. Hackers cannot get into the system with only a secret phrase and login data.

Setting up an additional access verification factor

The admin panel in Magento can be protected with 2FA tools to verify the identity of the user. In order to enable such authorization for the admin panel, it should be configured properly.

Several methods can be used to ensure secure authorization for the admin page, and you can use one of the following. Google Authenticator is one of the most popular apps for this task. Alternatively, you can use Duo Security or Authy. Another popular app for the second factor is U2F.

The Google Authenticator app is supported in Magento 2 by default. Let's consider the process of its installation and configuration.

2FA installation

Magento provides 2FA support from the box regardless of its edition: Open Source or Adobe Commerce. The 2FA module is part of the Core Bundled Extension (CBE) package.

2FA configuration

If the admin wants to start using 2FA in a store, it is required to configure the 2FA module. In the web browser, open the admin page and specify the required data used for routine access.

The store access security system will show a new window containing the QR code of the configuration. - Take your smartphone or tablet with the Google Authenticator application installed. - Add a new verification account by clicking the plus sign ( + ). - Point your mobile device's camera at the QR code and wait for the scan to complete. - A new entry will be added to Google Authenticator. You will receive a 6-digit verification code, which must be pasted into the 2FA window displayed by Magento 2. - Press Confirm to complete configuring the 2FA.

2FA configuration example

The accompanying model talks about the best way to combine the Admin account with a 2FA application. In this case, we're talking about the Google Authenticator.

The moment the QR code shows on the screen, utilize one of the included strategies to catch the code on the device intended for use with 2FA and pair the Authenticator with the login credentials used for admin access:

  • Catch the QR code with your mobile device camera. On the mobile device, open the Google Authenticator application and tap the sign (+) in the top right corner to start adding a new account. Then tap the Scan Barcode button at the bottom of the screen to capture the image of the QR code.

  • Catch the QR code with your web browser. If the Google Authenticator is represented as an additional module in the web browser you are currently using, click the Authenticator symbol and catch the code.

  • Enter the QR code using the verification link. Locate the line of text below the QR code. Dispatch Google Authenticator using your mobile device or web browser. Tap the add sign (+), then select the option to enter the code manually. Enter your Admin account email address in the Account field. The Key field must be filled with the QR code verification string.

Complete the admin account connection to the Authenticator app by entering the generated verification 6-digit code issued by Google Authenticator. Insert it into the Authenticator code field, then click Confirm.

Disable or enable 2FA

To temporarily disable 2FA in the store, it can be done simply by disabling the 2FA module. This is achieved via the terminal in the store's root folder using the command php bin/magento module:disable Magento_TwoFactorAuth.

To activate the disabled 2FA module, use the command php bin/magento module:enable Magento_TwoFactorAuth.


In the time of fast innovation and evolution of digital technology, it is very important to ensure that your online information is protected from hacking and theft. As security becomes increasingly important, reCAPTCHA can be used to protect your store, its input forms and login pages from bots.