What is Magento 2 Factor Authentication & How Does It Work?

A new way to authenticate all admin users in Magento has been developed by Human-Element and one of the leading Magento hosts – Nexcess. Who…
  • Joel Holtzman
  • Magento Development Lead
  • May 8, 2015 Estimated reading time: 3 minutes

What is Magento 2 Factor Authentication & How Does It Works?

A new way to authenticate all admin users in Magento has been developed by Human-Element and one of the leading Magento hosts – Nexcess. Who should use 2 Factor Authentication? Anyone serious about their Magento website security.(https://www.human-element.com/human-element-hosts-two-factor-authentication-webinar/)

First, let’s go over briefly what exactly 2 Factor Authentication is: 2 Factor Authentication is the idea that 2 different components are required before a user is a recognized as being the real user. For example, when you buy something online you will typically be asked for the Credit Card number, but, you will also be asked for the CCV number. This is to ensure that the credit card number wasn’t stolen and that the person purchasing also has physical access to the card.

Therefore, 2 Factor Authentication prevents your Magento admin from Brute force attacks.  What is a Brute-force attack? Brute-force attacks are simply using a script or program to guess a username and password combination until one works. Typically, the username is known (or believed to be known) while the password is the part that is guessed with every request. For example, if an attacker knew that there was an account “admin” his program or script might guess “password”, “password1”, “password2”, and so on, until he was successful with “password321”. However, there are two different types of brute-force attacks. The first of which involves using a pre-defined wordlist. These wordlists contain common passwords and other words that are oftentimes used as passwords. This does two things for the attacker – first it saves them time in terms of going through the most common passwords first, and second, it increases the speed at which they can guess the password while at the same time reducing the effort that they must spent.

So how does this extension work?

When an administrator successfully logs into Magento, they have 30 seconds to provide the second component to authentication. Currently, the two options for the second component include a one time passcode that is sent to the phone via Google Authenticator and a simple Yes or No response through the Duo Mobile app.

What does it protect me from?

2 Factor Authentication will help protect and defend against brute-force attacks, password being stolen, guessed, or another security vulnerability that allows an attacker to bypass the first component of authentication.

If you need help with your Magento store, call 845-656-3000 or Contact us here »

What else should I be aware of?

It’s essential to note that, in the event that your phone is stolen, breaks or is lost, you will be locked out of your account! Secondly, if your phone has no security itself, such as a password or fingerprint scanner, someone else may use it to login to your account. Any security measure is only as strong as it’s weakest link!

Here’s how it looks in practice:

First, I go to the admin screen just like for any other Magento store:

Screen Shot 2015-05-05 at 12.02.55 PM

After typing in my Username and Password I get a new screen:

Screen Shot 2015-05-05 at 12.03.16 PM

When I get to this screen, I have to open my phone and get the code:


Once I enter my code:

Screen Shot 2015-05-05 at 12.03.25 PM

I’m now logged in for the admin panel.

And here, more importantly is how the logs for 2 Factor Authentication might look:

Screen Shot 2015-05-05 at 12.10.01 PM

Overall, this was a very easy extension to setup and configure. Once I had it installed, I just had to scan the QR Code with my phone to link it up to the Magento Account. After that,  it was good to go. This is the perfect solution to implement in order to keep your admin area safe from brute-force attacks and compromised passwords.

Related Services