Magento 2 (Adobe Commerce) is widely used for ecommerce websites, which is exactly why admin accounts are a common target for attacks. With two-factor authentication (2FA) you add an extra layer of security to the Magento Admin, significantly reducing the risk of unauthorized access. In this article, we explain how to use Google Authenticator within Magento 2.
Why two-factor authentication in Magento is essential
Magento administrators have access to customer data, orders, and store configurations. A leaked password can have serious consequences. With two-factor authentication in Magento 2 a password alone is no longer sufficient to log in. In addition to your login credentials, a temporary code on your smartphone is required. This significantly reduces the risk of unauthorized access.
Step 1: Configure required 2FA providers in Magento 2
Before two-factor authentication can be used, you need to configure in Magento 2 which 2FA methods are allowed for Admin-users. Follow the steps below in the Magento Admin:
In the Magento Admin go to Stores > Settings > Configuration.
Expand Security in the left-hand menu and select 2FA.
In the General section, under Providers to use , select which two-factor authentication providers may be available for Admin users. You can select one or multiple options at the same time:
| Google Authenticator | Generates a temporary verification code via an authenticator app |
| Duo Security | Verification via push notification or SMS |
| Authy | Time-based codes with support for SMS or push notifications |
| U2F Devices (YubiKey en andere) | Authentication via a physical security device |
Hold Ctrl (Windows) or Command (Mac) to select multiple providers.
In addition, you can configure the following here: the number of attempts a user has to complete 2FA and the lockout time when this limit is exceeded. Complete the configuration by clicking on Save Config. te klikken.
After this step, Magento is ready to enforce two-factor authentication. Users will then configure one of the selected methods, such as Google Authenticator, during their first login.
Set up Google Authenticator in the Magento Admin
Step 2: Link the authenticator app
Log in to the Magento Admin with your account credentials. When logging in for the first time, a screen will appear to set up Google Authenticator, including a QR-code.
Open the Google Authenticator app on your smartphone and add a new account via the plus icon. Scan the QR code displayed in Magento. The app will now generate a six-digit code.
Enter this code in the Magento Authenticator field and click on confirm to complete the setup.
Log in with two-factor authentication in Magento 2
Step 3: Secure login
For future logins, first enter your Magento username and password. Magento will then request the temporary verification code from Google Authenticator.
If you want to remember this device, you can select the option to Trust this device. Confirm the login and you will gain access to the Admin environment.
Practical tips for Magento administrators
- Make sure multiple administrators use 2FA.
- Store backup codes securely.
- Combine 2FA with strong password policies.
