Tutorial: How to Set up Magento 2 Two-Factor Authentication
Use Magento 2 Two-Factor Authentication to secure your admin accounts
Online shopping is all the rage today. The competition between e-merchants is becoming increasingly stronger, as both entrenched players and newcomers want to grab a bigger slice of the pie.
Business information, customer-related data, payment details and other sensitive information owned by online businesses turn them into a target for cybercriminals. In the US alone, the average cost of a data breach is more than USD 7 million.
To keep e-stores away from unwanted intruders, business owners explore different avenues towards safeguarding the stores’ backend against data breaches, brute force attacks, phasing scams and other malicious activities.
Two-factor authentication is a sure-fire solution for online stores since it adds an extra level of defense to admin panels. It means that the stores’ backend will be safe even if admin users’ passwords are stolen by hackers or they are not strong enough.
How does it work? Two-factor authentication introduces a second verification step to ensure that only the authorized person can log into the admin account. Our team understands how crucial the security is for Magento-driven stores. That’s why we developed Two-Factor Authentication, a Magento 2 extension that enables two-factor authentication for users of this ecommerce platform. Our module leverages one-time passwords as a second user verification step.
Read on the tutorial to learn how to set up and use this module.
Setting Up Two-Factor Authentication in Magento 2
Log in to the admin panel and enable the extension in your Magento 2 installation. Admin users will see a new field in the login form.
Please note that all the admin users have individual Two-Factor Authentication settings. You can choose how many admins will utilize two-factor authentication. If the additional verification method is disabled in the user’s settings, the user must enter only its login credentials and leave the new filed empty to access the admin panel.
Configuring Settings per User
Tap ‘System’ and navigate to Permissions > All Users to see the admin users’ list. In the Users grid, select the user and click him/her to access the account settings.
Our module adds two new sections to the ‘User Information’ panel.
Tap ‘TFA Settings’ to manage user-related Magento 2 Two-Factor Authentication settings.
There are two authentication methods available. You can enable just one of them or activate both verification methods. Please note that the user must use only one of them each time you log into the store’s backend.
Set this method to ‘Enable’, and the user will be receiving one-time passwords by email. The module will send access codes to the email address specified in the admin’s settings.
The user has to install a native mobile app to generate one-time passwords. To activate it, the admin should sync the app with the account by entering the Secret Key or scanning the barcode. When the synchronization is complete, the app generates a password, thus allowing the user to test how it is working.
Leave the ‘Server Time Correction’ field unchanged unless you manually changed time (not time zone) on your mobile phone or tablet. Otherwise, you may experience a one-time password mismatch due to time differences between your device and the server.
Whitelisting Trusted IPs
To intensify your security efforts, you can limit access to the admin account to specific IPs. Just go to the ‘IP Restriction’ section, and put reliable IPs on the list. Don’t forget to separate them with a space.
To make the account available from any locations again, empty the ‘Whitelisted IPs’ field and save the changes.
Remember to click the ‘Save User’ button to activate Two-Factor Authentication for the admin user. That’ it`!
Magento-driven businesses cannot skimp on the security of their stores. Two-factor authentication is a proven way of protecting valuable data against cyber thefts. Take advantage of Aitoc’s new module to extend your store’s security beyond the ordinary password.