Implementing Two-Factor Authentication Throughout Magento
July 16, 2020
As an increasing number of employees work remotely and businesses are forced to shift more of their operations to work-from-home digital solutions, security firm Zscaler saw hacking threats jump by 20% in the month of March alone. One of the most basic types of attack from hackers is at the account login page. In fact, according to Verizon, 81% of hacking-related breaches use stolen or weak passwords, and sometimes both.
To help Magento merchants better respond to these threats, we have implemented many security tools throughout the Magento platform: Magento Security Scan, Google reCAPTCHA, Content Security Policy, and many other security updates over the past few years.
We are responding to the growing threat by supporting (and in some cases requiring) two-factor authentication (2FA) across multiple areas of the Magento ecosystem. 2FA is a key industry standard to protect your digital storefront against attacks that target the account login. Using 2FA security will better protect you from malicious users attempting to perform unauthorized logins in three different areas: Magento.com accounts, Cloud Admin, and the Magento Admin.
2FA for Magento.com Accounts
2FA is now available when logging into services that are accessed using your Magento.com credentials, such as My Account, Magento Forums, Magento Help Center, Magento Marketplace, Magento U, and the Cloud Admin.
To enable 2FA on your Magento.com account, log into My Account and navigate to Two-Factor Authentication under the Account Settings menu. 2FA on Magento.com is compatible with most authentication apps, like Google Authenticator or Authy. For more information on setting up 2FA on Magento.com, see our User Guide.
2FA for Cloud Admin via SSH
To be released in conjunction with Magento Commerce 2.4, 2FA will also be available for Magento Commerce hosted in the cloud using SSH to prevent unauthorized users from accessing the servers. By default, this setting is not enabled for a project but must turned on.
When 2FA is enforced, normal SSH key access to a project will no longer function for that user. Instead, a certifier must be used. The certifier is a remote component that allows a user to exchange an access token (the same type of tokens used in the Project UI, the CLI, etc.). The tokens are short-lived SSH certificates that replace the common public/private key exchange.
For more information on 2FA for Magento’s SSH for cloud see our DevDocs.
2FA for Magento Admin
When the Adobe Security Operations team investigated skimming attacks on merchant sites, they found the majority – about 75% – were due to a malicious user accessing a compromised admin account to load a card skimmer on the site. Providing an extra layer of authentication makes the admin portal more secure, reduces the attack surface for skimming attacks, and decreases the operational cost associated with security incidents.
While 2FA on the Magento Admin is optionally available on all supported versions of Magento Commerce, beginning with the release of 2.4, 2FA will be enabled by default for the Magento Admin and cannot be disabled. Admin users must first configure their 2FA before logging into the Admin through either the UI or a web API. For more information on 2FA in the Magento Admin see our DevDocs.