Implementation of two-factor authentication (2FA) in Magento
During the lockdown, many companies have changed their operating mode to remote. Even though today we can return to our offices, some of us still prefer to work from home. This is largely possible thanks to modern technologies that make it easier for us to work from anywhere. Some enterprises have even permanently abandoned the stationary work model and opted for remote solutions. This is a major breakthrough in the field of business, especially for companies offering IT products.
Magento Commerce security
While there are many benefits coming from the remote working, there are also risks associated with it. One of them is the increase in hacking attacks. Already in March 2020, the security company Zscaler recorded a 20% increase in such threats. One of the most common and basic targets of hackers is the account login page. According to a Verizon study, as much as 81% of hacking attacks involve the use of stolen or weak passwords. In order to counteract this type of situation and support sellers using the Magento platform, the company has taken steps to respond to such situations even better. Over the last few years, it has implemented many security tools – Magento Security Scan, Google reCAPTCHA, Content Security Policy and many other security updates already present.
Two-factor authentication – 2FA
Thanks to its security features, Magento reacts to growing threats and supports its users. In some cases, and a large part of the Magento ecosystem, it even requires two-factor authentication – 2FA.
What is 2FA? First and foremost, it is a key industry standard that protects your storefront against hacking attacks aimed at stealing your account login details. Using 2FA security in a much better way protects you from malicious users who try not to authorize login in three different areas: Magento.com account, Cloud Admin and Magento Admin.
2FA for magento.com accounts
How to use 2FA in Magento? The feature is available after logging in to the services you access with your Magento.com credentials, such as My Account, Magento Forums, Magento Help Center, Magento Marketplace, Magento U and Cloud Admin. To run the feature on your Magento.com account, you need to log in to My Account and go to two-factor authentication in the Account Settings menu. 2FA on Magento.com is compatible with most of the available authentication apps, including Google Authenticator and Authy. If you want to know more information on setting up 2FA on your Magento.com, please visit the service’s website and check the User Guide available there.
2FA for Cloud Admin via SSH
The developer of the solution wants two-factor authentication to be available to a wide audience. Therefore, it is released in conjunction with Magento Cimmerce 2.4 and available for Magento Commerce hosted in the cloud using SSH. This will help prevent unauthorized users from accessing the servers. Note that this setting is not enabled by default and you will need to configure it yourself.
Once 2FA is set, normal SSH key access to the project will no longer work. You will need to use a certifier instead. The certifier is a remote component that will allow you to replace the access token. It is worth mentioning that the same type of tokens is used in the project’s UI, in the CLI, and other similar places. So tokens are short-lived SSH certificates that replace the shared exchange of public and private keys. If you want to go deeper into the topic of 2FA for SSH Magento Cloud, go to the service provider’s website and read the DevDocs documentation.
2FA for Magento Admin
According to the results of research on skimming attacks conducted by the Adobe Security Operations team on reseller sites, as many as 75% of them were caused by a malicious user who accessed an infected admin account to load a card skimmer on the site. It is for this reason that providing an additional layer of authentication is necessary and makes the admin panel more secure than before. It also lowers the risk of skimming attacks and the operational costs associated with security incidents.
It is worth noting that 2FA is optional in all supported versions of Magento Commerce – from version 2.4. However, Two-Factor Authentication will be enabled by default for Magento Admin and you won’t be able to disable it. Users who are administrators must therefore configure their 2FA first before logging into an administrator account via the user interface or the web API. All this for the full safety of sellers. To learn more about 2FA in Magento Admin, you can also use the DevDocs available on the Magento website.