README

Magento 2 Two-Factor Authentication from Mageplaza is built to ensure the highest security for your Magento 2 stores. The extension can force using 2FA or auto skip 2FA request for trusted devices. Mobile compatibility is also supported in this module.

1. Documentation

2. FAQ

Q: I got error: Mageplaza_Core has been already defined

A: Read solution here

Q: How many steps admin has to pass to access admin data?

A: There are two steps. The first is simple with username and password, the second is authentication code provided by the mobile authentication app

Q: Which apps can I use for 2FA?

A: We recommend you use Authy and Google Authentication for the best result.

Q: If I do not want to be required 2FA the next time, how can I do?

A: You can do by enabling the trusted device function and set the trusted time by days. Then, in the first login, click on Trust this device for x days. It can be done properly.

Q: I am a store owner. Our store has many admins. How can I set 2FA for specific accounts only?

A: Kindly follow this guide. Firstly, turn off Forcing to use 2FA function. Then the admin accounts which is not set as a trusted device and turn on 2FA will have to use 2FA.

Q: Can I know the list of trusted device and remove any accounts if any changes require?

A: Yes, you can easily see from admin backend and click on remove button to do any removing accounts.

3. How to install Two-Factor Authentication extension for Magento 2

Install via composer (recommend): Run the following command in Magento 2 root folder:

With Marketing Automation (recommend):

composer require mageplaza/module-two-factor-authentication
php bin/magento setup:upgrade
php bin/magento setup:static-content:deploy

Without Marketing Automation:

composer require mageplaza/module-two-factor-authentication
php bin/magento setup:upgrade
php bin/magento setup:static-content:deploy

For versions below Magento version 2.4.0, it requires to install the library of bacon-qr-code via composer by the following command

composer require bacon/bacon-qr-code

4. Highlight Features of Magento 2 Two Factor Authentication

Two steps to access

Forcing to use Two-factor authentication

Magento 2 Two Factor Authentication (2FA) supports backend store data to be better protected with two steps of verification. If forcing feature is enable, admins are required to set up two-factor authentication before they have the ability to access all data from backend panel.

Support from mobile authentication apps

To activate two-factor authentication, the support from mobile authentication apps is needed. Admins need to download apps such as Authy, Duo, Google Authentication. After registering authenticator accounts by scanning QR code or manually entering the provided key, the app will create a unique verification code which is used to confirm the admin account.

No requirement if being trusted

Activate trusted device function, set trusted time

To save time for trusted admin accounts after the first time login, Trusted device function is supported. After this feature is configured well, via a click to require trust for next login, the device will be listed to trusted list and not be required authentication code in a specific time.

Quick login without authentication code in the next login

As a result, after the first time confirming the account successfully, as long as within the trusted time, the second verification is not required for the next login times. With this feature, it is time-saving for key store admins whose accounts are believed to be reliable.

Trusted device list

It is easy to manage all trusted verified admin roles by the Trusted Device list. The information of logged users are recorded clearly with the following details:

Device Name
IP address
Address
Last login time

Besides, super admin or store owners can easily remove any admin accounts from the trusted device in case there is any account updates. Therefore, admin panel can be protected well from the ill-intentioned access.

5. More Features of Magento 2 2FA

Force Using 2FA

Enable/ Disable requiring users to register 2FA

Trusted Time

Set trusted time for user accounts by days

Mobile friendly

Be well responsive to mobiles, desktop, tablets, and other screen sizes.

6. Full Features List

General Configuration

Enable/ Disable the extension
Force admins to use 2FA
Enable/ Disable Trusted Device
Set trusted time by days

Admin account setting 2FA

Setting account information: User name, Email, password
Enable/ Disable 2FA for the account
Input confirmation code from the authentication app
Use a unique authentication code for each time login
Click on trust this device when login to save second authentication confirmation for a specific days
View Trusted Device list
Remove an admin account from the Trusted Device list

7. Magento 2 Two Factor Authentication User Guide

How to use Two Factor Authentication

When logging in the backend, admin users need to fill in the authentication factors

When turn on Trusted Device, authentication request page looks like this:

How to Configure Two Factor Authentication

7.1. Configuration

From Admin panel, go to Stores > Configuration > Mageplaza > Two factor Authentication

Enable: Select Yes to activate the module
Force Using 2FA:
- Choose Yes to force all admin users to register Two-Factor Authentication (2FA). If the account logged in has not yet installed 2FA in the account setting, it will be linked to the Account setting page for installation
- When 2FA is enable, all admin users who have not registered 2FA must go to My Account page to set it up. After that, they can access others admin pages
Enable Trusted Device:
- Select Yes to enable saving the trusted devices. In a certain period of time, when logging in with this device, admin users do not need to authenticate the two factors
- This certain period is configured at Trusted Time field
Trusted Time:
- During the time period set in this section, when logging in with this device, the admin users do not need to authenticate two factors.
- When changing Trust time, the previously saved devices also change the trust time accordingly
- Time is set by day
Whitelist(s):
- Only the IP addresses filled in this section can access the Dashboard page without 2FA (even if not in the Trust Device List)
- It is possible to allow 1 IP address, multiple IP addresses, 1 range of IP addresses or multiple IP address ranges to have access to admin. IP addresses are separated by commas
- The owner can also allow IP addresses to be accessible to admin pages without authenticating 2FA in the following form: 10.0.0.10, 10.0.0. *, 10.0. *. *, 10.0.0. * - 123.0.0. *, 12.3. *. * - 222.0. . * Symbol "" in range 0 - 255

7.2. My Account Admin

Admins need to go to Account Setting to set QR/Pin code

Register 2FA:

After enabling 2FA, admins need to use the Authy app or Google Authenticator on the phone to scan the QR code or enter the Key into the app to get the confirmation code.
After QR code is saved in the app, it automatically generates confirmation code. Admin needs to get that code and enter the it to register
After registering, from the next login, admins need to get the code from the app to verify so that they can access the dashboard
The confirmation code created by the app after being replaced 30s still works for verification
When Force using 2FA is enabled, the admin user cannot disable 2FA here

Check and remove Trusted Devices:

Log the browser on the machine with certain IPs that can be trusted and the last time the user logs in with this browser
When the enable trust device, in the trust time period, the devices saved here will not need to enter the confirmation code to log on.
Over time of trust time, device will be automatically removed from the list
User admin can also remove that period by clicking the Remove button

Get more Free extension on Github:

Explore Magento 2 modules on Marketplace:

mageplaza / module-two-factor-authentication

Maintainers

Details