Retrofitting Two Factor Authentication To An Existing Magento 2 Installation

Published: March 24, 2019

Enabling forced two-factor authentication for the Magento admin panel is a great way to improve security. However, with the current mechanics of Magento’s two-factor authentication module simply flipping the switch in your stores admin panel still leaves a gap in your system’s security.

The reason for this is that even after you’ve enabled two-factor authentication all existing credentials can still be used to fully authenticate on the system for the first time. Once the user has provided the user name and the password they will not be prompted to provide a second factor. Instead, they’ll be prompted to setup their account for two-factor authentication.

Screenshot showing Magento's 2FA Google Authenticator setup screen

After completing two-factor authentication setup, they’ll have access to the admin panel.

As such, if the system has a “stale” account that is not actively used an attacker could still compromise the system by authenticating with a password and then setting up two-factor authentication with their own device.

As such I recommend invalidating all admin passwords immediately after enabling two-factor authentication. Users will then need to go through a password reset workflow which requires the user to have access to the email account associated with the Magento admin account – effectively a second factor.

The two-factor authentication module could be improved by handling this out of box. When a system is set to enforce two-factor authentication, on a user’s first login a random token could be sent to the email address on file for the account. The user would then be required to enter that token before allowing them to set up two-factor authentication.

Max Chadwick Hi, I'm Max!

I'm a software developer who mainly works in PHP, but loves dabbling in other languages like Go and Ruby. Technical topics that interest me are monitoring, security and performance. I'm also a stickler for good documentation and clear technical writing.

During the day I lead a team of developers and solve challenging technical problems at Something Digital where I mainly work with the Magento platform. I've also spoken at a number of events.

In my spare time I blog about tech, work on open source and participate in bug bounty programs.

If you'd like to get in contact, you can find me on Twitter and LinkedIn.