Magento 2.4 and Two-Factor Authentication

On 28 July 2020, Magento2.4 will be released (both Commerce and Open Source) with General Availability. This release will obviously include important updates to security, quality, and platform technologies along with several new capabilities. The most interesting to us is the now required Two Factor Authentication (2FA)

Magento v2.4 release notes are here: magento.com.

TWO FACTOR AUTHENTICATION (2FA) THROUGHOUT MAGENTO COMMERCE

As an increasing number of businesses are forced to shift their operations to work-from-home digital solutions we expect that hacking threats are rising. One of the most common threats is from the account login page.

Magento is responding to the growing threat by supporting (and in some cases requiring) 2FA across multiple areas of the Magento Commerce ecosystem. Two Factor Authentication is a key industry standard to protect your digital storefront against attacks that target the account login. Using 2FA security will better protect you and your clients from malicious outsiders attempting to perform unauthorized logins at three different points of entry to Magento Commerce:

• Services that use your Magento.com credentials such as My Account or the Magento Commerce Help Center. Available to configure now.
• Accessing the cloud admin using SSH, and the Magento Commerce Admin. Available in conjunction with the release of 2.4.
• Beginning with the release of 2.4, 2FA will be enabled by default for the Magento Commerce Admin and cannot be disabled. After upgrading, Admin users must configure 2FA before logging in.

We also strongly recommend that our clients change the default admin URL from admin to something more obfuscated (example is admin_string of characters). Additionally, we recommend that client IPs are whitelisted for access to that admin login page.

Between Xumulus’ recommendations and Magento’s Two Factor Authentication, we’re seeing a considerable threat reduction around backend access.