Configuring TFA on the Magento 2.4.0 Admin Panel with Google Authenticator

In this article

1. Short theory about Magento’s Two-Factor Authentication.
2. A quick view of CLI Command to install Magento 2.4.0 for tl;dr; folks.
3. Setup Google Authenticator for Magento TFA (aka 2FA).
4. Create Magento Admin user with Google Authenticator selected for TFA.
5. Install Google Authenticator app (iOS | Android ) on Mobile and configure it for your local Magento access.
6. Login to Admin panel with TFA cleared like a boss (even if you don’t have email configured).

Two-factor authentication is now a well-proven standard for added security in the login process, and it makes perfect sense that Magento 2.4.0 has two-factor authentication enabled on admin panel logins by default. Configuring it is easier than you’d have thought.

We can install any two-factor authenticator provider in Magento using the standard composer require and module enable process, by default Magento Commerce 2.4 ships with these providers:

$ bin/magento security:tfa:providers
google: Google Authenticator
duo_security: Duo Security
authy: Authy
u2fkey: U2F (Yubikey and others)

And it’s up to the provider to decide how OTP will be generated and verified, once a provider is configured and linked with Magento, the OTP is generated by the provider’s tool which is disconnected from the Magento system, the OTP is then entered manually on the Magento login screen by Admin user - Magento hands over the entered digits to Provider’s Magento module for verification. OTP can be received via SMS, Email, SNS/SQS, FCM — and the most direct way is to use a generator/verifier app which makes the entire auth process independent of the aforementioned carrier technologies.

In this article, we will learn how to configure and enable TFA on Magento 2.4 exactly on this principle — you just need an Android or iOS device.

Basic installation

If you are trying your hands on freshly brewed hot and ready to serve Magento 2.4.0, then the first thing you’d notice is there’s no Web Setup wizard, like in previous versions. You have to do the installation over CLI. So, let me help you right away with a TL;DR ‘ready to fire’ install command (I assume you already have Magento 2.4.0 downloaded and trust you will be able to change values in arguments below as per your env)

magento setup:install --base-url="https://local.magento/" --db-host=localhost --db-name="magento" --db-user="dbuser" --db-password="dbpassword" --admin-firstname="Magento" --admin-lastname="Admin" --admin-email="magento@adobe.com" --admin-user="admin" --admin-password="xxyyzzaabbcc" --language="en_US" --currency="USD" --timezone="Asia/Kolkata" --use-rewrites=0 --backend-frontname="admin" --cleanup-database

Now that we have a Magento v2.4 installed and we can access the store-front and backend, we are going to login to Magento backend. This will ask for user and password, no big deal — but after we login successfully, we don’t see the dashboard this time, we will see a new Magento screen now:

Bummer! right? well No actually, it’s easy to get the two-factor authentication working, read on

If you have a mail server configured

If you have a mail server configured, you will receive an email from your newly installed Magento 2.4 a link to configure your authenticator first. The first time you get an option to select between Google or Authy or any other enabled provider, for ease of use, just choose Google Authenticator. You will get a QR code image generated by Magento admin on the same screen just scan the QR through Google Authenticator app (iOS |Android ) and voila! you are good to go.

BUT what to do if you don’t have mail server like postfix or something similar configured on your Magento system, then there is no clear way to get the authenticator link (unless you have postfix or similar server running and you know how to extract mail logs and read the content of unsent stuck mail, then you might need to Base64 decode it and do some string editing to get the URL link),

No mail server? No problem!

At the Magento Two-Factor configuration screen, just take a deep breath and mumble “I’ll be back,” and calmly log out.

And then here is what you can do —

Set Google as Two-factor auth provider in Database:

Login to MySQL console and first check if there is a security provider already set in core configs:

select * from core_config_data where path like '%provider%';

If the above response is Empty set (0.03 sec) , then go ahead and insert a config that conforms Magento to use Google as TFA provider:

insert into core_config_data(scope,scope_id,path,`value`) values ('default',0,'twofactorauth/general/force_providers','google');

If you already have a provider set which is not google, then you can run an update command to set google as provider

update core_config_data set `value`='google' where path= 'twofactorauth/general/force_providers';

Then, we need a Base32 encoder (just required once per user); You can use your algorithm or pick any good one you find through an online search (like this), or you can use an online encoder, I used this online tool

And then choose a super secret awesome passkey of at least 10 characters, and base32 it using your algorithm or the online converter:

Base 32 of passkey generated through an online converter

Now you have a Base32 encoded string — we open the Magento CLI again, and run this command
bin/magento security:tfa:google:set-secret <user> <secret>

For example:

$bin/magento security:tfa:google:set-secret admin NV4XGZLDOJSXI4DBONZXO33SMQ======

If you see this message Google OTP secret has been set This means you have successfully configured Google Authenticator for two-factor authentication enabled login on your Admin panel,

Next step would be to do a reindexing and cache clean

$ bin/magento in:rei
$ bin/magento c:c

now we just need the Mobile app to configure it

Download the mobile app

Download Google Authenticator (iOS | Android ) app on your mobile

Open the app and select this option: Enter a setup key

Configuring Google authenticator app on mobile

This will ask you 3 things:

1. Account Name : Give any sensible name
2. Your Key: Paste the base32 encoded passkey here
3. Type of key : Choose Time based here

And that’s it. You now have your local Magento instance linked TOTP generator on Google Authenticator app. This time, when you attempt to log in, you will not see the above screen, instead, you will see:

Enter google auth generated TOTP here

Congratulations — you now have Magento 2.4 working with TFA using Google Authenticator!

Go conquer the world!

See Also

1. https://magento.com/Magento-Commerce-2.4-Accelerate-Your-Business
2. https://support.google.com/accounts/answer/1066447?co=GENIE.Platform%3DAndroid&hl=en&oco=0
3. https://devdocs.magento.com/guides/v2.4/install-gde/bk-install-guide.html
4. https://devdocs.magento.com/guides/v2.4/security/two-factor-authentication.html
5. https://magento.com/blog/magento-news/implementing-two-factor-authentication-magento