One of the critical security issues that have followed Magento Open Source 2.2 all the way back from Magento Community 1 is the potential for brute force attacks on the Admin login page. There are a few tricks you can use to avoid this attack (as I mentioned in my 25 Ultimate Security Checks video I released last year). However, Two-Factor Authentication was never possible unless you went to a 3rd party developer.
But as of last week, Magento officially announced the support of Two-Factor Authentication in collaboration with one of their partners. At this time, Two-Factor Authentication can be installed only from the command line. However, in this video I’ll show you how to do just that.
As I mentioned a moment ago, Two-Factor Authentication can be installed only from the command line using Composer. This means it’s likely that you won’t be able to follow these instructions if you’re using Shared Hosting. But hopefully, we’ll see this module included in a future Magento update.
Anyway, let’s get started…
What is 2FA?
Two-Factor Authentication is an extra layer of security. First, a user will enter their username and a password. Then, instead of immediately gaining access, they will be required to provide another piece of information. With an App like Google Authenticator, it generates a random number associated with your linked account that is only valid for 60 seconds.
So if someone happens to crack both your username and your passphrase, they will still need immediate access to your phone in order to gain access to your account. Of course that also means that if you misplace your phone, you’re not going to be able to log in either.
The new Magento feature supports a number of Authenticator Apps.This includes Google Authenticator, Authy, U2F Keys and Duo Security. Throughout the remainder of this video, I will only be referring to Google Authenticator as I’ve been using this for many years, plus I have no experience with the other 3 Apps. And just for reference, Google Authenticator is Free and can be found on both the Google and Apple stores.
So to get started with the Command Line Interface, I’ll need to login to my web server via SSH. If you’re not sure on how to do that, then look out for a mini-series that I’ll be releasing soon, which will cover the basics of using a Command Line Interface. Alternatively, you can refer to your web hosts documentation.
Once connected, I need to navigate to my Magento root directory. The root directory of Magento will vary depending on your host or how you installed it. But you’ll know when you’re there, because using the command ‘ ls -la ’ will list a bunch of files in that directory that should closely resemble this. It’s also wise to note that before you execute any further commands, just make sure to switch to the user who has permissions to modify files if you’re not using shared hosting.
The first thing I want to show you, is how to backup your database using the Command Line Interface. I’d always recommend backing up your store before installing any new modules. This can be achieved using the Web Setup Wizard, but as I’m already logged in via SSH then I may as well do it here.
It’s a super simple command, and you do this by typing:
bin/magento setup:backup --db
and hitting enter. After a few moments, you’ll see a message to confirm the backup was completed successfully.
Now I can move onto installing the 2FA module. To do this, I just need to type the following command:
composer require msp/twofactorauth:3.0.0
and hitting enter
You may see a bunch of modules being installed, which may take a few moments and then you’ll be ready for the next step.
Warning: I missed this step in the video
To enable the F2A module, type:
bin/magento module:enable MSP_TwoFactorAuth
and hit enter. A moment later, you will see a confirmation message that this new module is now enabled.
Finally, I just need to complete the installation by typing:
and hitting enter.
You’ll see a string of text go by like this. And that completes all the necessary steps in the Command Line Interface.
For this next step, I just need to jump into the backend of Magento. Then go in into Stores > Configuration > Security > 2FA .
From here, I can Enable Two Factor Authentication by selecting Yes from the dropdown.
The Force Providers option forces every Admin User to require 2FA in order to login. However, leaving the default System Value (which highlights none of them) is possibly my preferred option. This allows me the flexibility to only enforce 2FA for selected users such as Admin or Manager accounts with high levels of access. This means users with lower-level access to Magento (such as Sales or Warehouse teams) won’t be forced to use it.
Otherwise, if you uncheck Use System Value and highlight a provider, then every single Admin user will be forced to setup and use 2FA.
Underneath that option, I can enable Google Authenticator. Setting Enable “trust this device” option to Yes means that the user does not have to enter their authenticator code for a number of days as long as they’re logging in from the same device.
After saving these settings, you may be prompted to clear the cache. So I’ll do that now.
Install the Mobile App
The next thing we need to do, is get a copy of Google Authenticator from the Google or Apple store and install it onto our mobile phone. The application is pretty intuitive, so I won’t be covering those steps here.
With the App now installed, we can come back to it in a few moments.
Enforcing Individual Users
This next step is only required if you’ve decided to enforce 2FA for selected users only. Again this is done by ensuring that Use System Value is checked next to the Force Providers setting.
To enable a user, go to System > Settings > All Users . From the list of users, select the person that you’d like to enable 2FA for. For this demonstration, I’ll select myself. On the left, you will see a new option named 2FA. Clicking on this menu item displays 3 sections.
The first section is used to force available 2FAs for the user. The second resets 2FA for the user. And the third displays a list of trusted devices that have been authenticated with a successful 2FA login.
So I’ll go ahead and check the box for Google Authenticator. Before I can save, I just need to click back on User Info and scroll to the bottom so I can enter my admin password and authorise the change. And then hit the Save User button.
Note, that because I’m updating myself as a user I’ll get kicked out and have to relog into the backend.
However, this time I’m prompted to setup and enter my Google Authenticator code. Scanning the QR Code with the App will only be required once to setup an entry in your phone. And then I’m able to simply enter the 6-digit number displayed in the App to enable a successful login.
Summary of the Two-Factor Authentication setup
So, I hope that you found this video of some use. If you did, please hit that like button to show your support. And subscribe if you haven’t already for more weekly Magento videos.
Until next time, take care.