Magento’s research indicates a large number of attacks result from compromised admin accounts, and Multi-Factor Authentication helps ensure only your organization has access to your Magento 2 admin. Even if a hacker knows your admin login, our Two-Factor Authentication module can protect your store by providing a second layer of verification for the user trying to login. We’ve named our module Heimdall after the Norse God who watched the bifrost for demons, and it makes Multi-Factor / Two-Factor authentication easy & painless for Magento 2 stores!
And most importantly, our extension is 100% free!
How It Works
By default, this module provides two-factor authentication using Google’s Authenticator. This allows you to generate two-factor verification codes using your mobile device. The authenticator can generate codes even if your phone does not have an internet connection!
Once installed, your Magento 2 admin users will be prompted to pair their phone / mobile device with their admin account the first time they login. After that, any subsequent logins from a new device will prompt for a verification code.
View the source code for our two-factor authentication module: https://github.com/cadencelabs/cadence-heimdall
** If you are still on Magento 1, there is a free module available on github: Two Factor Authentication for Magento 1
Installing the Cadence Lab’s Heimdall Module:
First we’ll need to install Cadence Heimdall using composer. To do this we’ll navigate to the root directory of your M2 application and run:
composer require cadence/heimdall
If you haven’t configured composer with your repo.magento.com credentials, you’ll be prompted to enter your login.
Click here to learn more about Magento 2’s composer authentication.
If you prefer to download the source code and install the extension manually, click here for instructions.
After installation we will need to upgrade the database by running:
php bin/magento setup:upgrade
Clear Magento cache:
php bin/magento cache:flush
Login to the admin, navigate to Stores -> Configuration -> Cadence Labs -> Heimdall Multi-Factor Authentication -> Enabled? -> Set to YES -> Click “Save Config”.
Clear Magento cache:
php bin/magento cache:flush
Logout of the Admin and Login again — you’ll be prompted to pair your phone using a QR code which will create an authenticator label in the format of http://YOURDOMAIN – [email protected]
Once you have the Secret Code entered click “Verify Code”.
Note: By checking “Remember this device?” you will not have to do MFA for 90 days on that same device. Otherwise you will be prompted on every login!
After you setup a device or if you attempt an admin login with a new device, you will see the MFA verification prompt without the QR code.
Once you’re logged in you should see the success message:
Now you have access to some new features!
Heimdall Module Features:
1. User Management
Navigate to System -> All Users Grid. The “Has Completed MFA” column tells the store owner which users have completed MFA Setup and are currently using two-factor authentication.
2. User Management
Navigate to System -> All Users Grid -> Select User to Edit. The “Reset MFA Secret” button can be used to allow the user to pair a new device with Magento2.
3. Role Permissions
Navigate to System -> User Roles -> Select Role to Edit Resources -> Role Resources.
You set who can enable the module under Resources -> Stores -> Settings -> Configuration -> Heimdall Multi-Factor Authentication Settings
You set who can reset the MFA secrets under Resources -> System -> Permissions -> Reset Heimdall MFA Secret For Users
Heimdall Multi-Factor Authentication – Manual Installation
To view the source code or download a zip of the extension see the Github repo here: https://github.com/cadencelabs/cadence-heimdall
Below are example instructions for adding the extension. By default, this will provide two-factor authentication using Google Authenticator.
cd ~/path/to/magento2 mkdir -p app/code/Cadence/Heimdall git clone https://github.com/cadencelabs/cadence-heimdall app/code/Cadence/Heimdall php bin/magento setup:upgrade
Note: If you install manually, you must require the QR code generator library by hand by running:
composer require robthree/twofactorauth
Using two-factor authentication is an easy way to protect your Magento store from break-ins and data breaches. We encourage you to install this extension and ensure all members of your team complete the setup process.
If you need help with securing your Magento 2 store, or would like Cadence Labs to perform a security audit on your site call (719)-286-0751 or visit our contact page to have a real person contact you today!
Let us know what you think of this module in the comments below!
I really like the idea, very appreciatable! The ecommerce industry is one of the most lucrative targets for cybercriminals. More security means more secure shopping for clients. Great blog post!
Is the extension ever going to be updated again? It destroys the user management page in Magento 2.1.11 and thus makes it unusable.