—

Why it Matters

Passwords alone are often not enough to protect admin accounts. Attackers use stolen credentials, phishing, or brute force to break into Magento backends. If 2FA (two-factor authentication) is not enabled, a leaked or weak password can give full control of the store.

Enabling 2FA adds an extra step such as a one-time code or authentication app. Even if an attacker steals a password, they cannot log in without the second factor. This greatly reduces the risk of account takeover and protects sensitive areas like orders, customer data, and payment settings.

Verification Steps

Manual

# Check if the Magento_TwoFactorAuth module is enabled
bin/magento module:status Magento_TwoFactorAuth

# In Admin UI:
Stores → Configuration → Security → 2FA

Remediation / Fix Guidance

Enable the module:

bin/magento module:enable Magento_TwoFactorAuth
bin/magento setup:upgrade
bin/magento cache:flush

Configure 2FA methods (TOTP app, U2F key, etc.) for all admin accounts.
Make 2FA mandatory for every admin user, not optional.
Provide a recovery process for lost devices, but keep it secure (e.g., backup codes).

Examples

Fail Example

# Module disabled, no 2FA at login
bin/magento module:disable Magento_TwoFactorAuth

Pass Example

# Module enabled, 2FA required at login
bin/magento module:enable Magento_TwoFactorAuth
# Admin login now asks for verification code

References

OWASP Top 10 — A07: Identification and Authentication Failures