719-286-0751 [email protected]

Free Multi-Factor Authentication for Magento 2

by | Apr 21, 2017 | Magento, Magento 2, Magento Extensions | 2 comments

Free Multi-Factor Authentication for Magento 2

Magento’s research indicates a large number of attacks result from compromised admin accounts, and Multi-Factor Authentication helps ensure only your organization has access to your Magento 2 admin. Even if a hacker knows your admin login, our Two-Factor Authentication module can protect your store by providing a second layer of verification for the user trying to login. We’ve named our module Heimdall after the Norse God who watched the bifrost for demons, and it makes Multi-Factor / Two-Factor authentication easy & painless for Magento 2 stores!

And most importantly, our extension is 100% free!

How It Works

By default, this module provides two-factor authentication using Google’s Authenticator. This allows you to generate two-factor verification codes using your mobile device. The authenticator can generate codes even if your phone does not have an internet connection!

Once installed, your Magento 2 admin users will be prompted to pair their phone / mobile device with their admin account the first time they login. After that, any subsequent logins from a new device will prompt for a verification code.

View the source code for our two-factor authentication module: https://github.com/cadencelabs/cadence-heimdall
** If you are still on Magento 1, there is a free module available on github: Two Factor Authentication for Magento 1

Installing the Cadence Lab’s Heimdall Module:

Step 1

First we’ll need to install Cadence Heimdall using composer. To do this we’ll navigate to the root directory of your M2 application and run:

composer require cadence/heimdall

If you haven’t configured composer with your repo.magento.com credentials, you’ll be prompted to enter your login.
Click here to learn more about Magento 2’s composer authentication.

If you prefer to download the source code and install the extension manually, click here for instructions.

Step 2

After installation we will need to upgrade the database by running:

php bin/magento setup:upgrade

Step 3

Clear Magento cache:

php bin/magento cache:flush

Step 4

Login to the admin, navigate to Stores -> Configuration -> Cadence Labs -> Heimdall Multi-Factor Authentication -> Enabled? -> Set to YES -> Click “Save Config”.

Clear Magento cache:

php bin/magento cache:flush

Step 6

Logout of the Admin and Login again — you’ll be prompted to pair your phone using a QR code which will create an authenticator label in the format of http://YOURDOMAIN – [email protected].

Once you have the Secret Code entered click “Verify Code”.

Note: By checking “Remember this device?” you will not have to do MFA for 90 days on that same device. Otherwise you will be prompted on every login!

After you setup a device or if you attempt an admin login with a new device, you will see the MFA verification prompt without the QR code.

Once you’re logged in you should see the success message:

Now you have access to some new features!

Heimdall Module Features:

1. User Management

Navigate to System -> All Users Grid. The “Has Completed MFA” column tells the store owner which users have completed MFA Setup and are currently using two-factor authentication.

2. User Management

Navigate to System -> All Users Grid -> Select User to Edit. The “Reset MFA Secret” button can be used to allow the user to pair a new device with Magento2.

3. Role Permissions

Navigate to System -> User Roles -> Select Role to Edit Resources -> Role Resources.

You set who can enable the module under Resources -> Stores -> Settings -> Configuration -> Heimdall Multi-Factor Authentication Settings

You set who can reset the MFA secrets under Resources -> System -> Permissions -> Reset Heimdall MFA Secret For Users

 

That’s it!

Heimdall Multi-Factor Authentication – Manual Installation

To view the source code or download a zip of the extension see the Github repo here: https://github.com/cadencelabs/cadence-heimdall

Below are example instructions for adding the extension. By default, this will provide two-factor authentication using Google Authenticator.

cd ~/path/to/magento2
mkdir -p app/code/Cadence/Heimdall
git clone https://github.com/cadencelabs/cadence-heimdall app/code/Cadence/Heimdall
php bin/magento setup:upgrade

Note: If you install manually, you must require the QR code generator library by hand by running:

composer require robthree/twofactorauth

Conclusion

Using two-factor authentication is an easy way to protect your Magento store from break-ins and data breaches. We encourage you to install this extension and ensure all members of your team complete the setup process.

If you need help with securing your Magento 2 store, or would like Cadence Labs to perform a security audit on your site call (719)-286-0751 or visit our contact page to have a real person contact you today!

Alan Barber is the CEO at Cadence Labs and a Magento Certified developer.

 

Let us know what you think of this module in the comments below!

2 Comments

  1. Fayyaz Khattak
    Fayyaz Khattak on April 25, 2017 at 1:24 pm

    I really like the idea, very appreciatable! The ecommerce industry is one of the most lucrative targets for cybercriminals. More security means more secure shopping for clients. Great blog post!

    Reply
  2. Deniz
    Deniz on February 20, 2018 at 10:14 am

    Hi!
    Is the extension ever going to be updated again? It destroys the user management page in Magento 2.1.11 and thus makes it unusable.

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Install our webapp on your iPhone! Tap and then Add to homescreen.
Share This