# mageplaza/module-two-factor-authentication > Magento 2 Two Factors Authentication Extension `composer require mageplaza/module-two-factor-authentication` Canonical URL: https://packagento.com/mageplaza/module-two-factor-authentication ## At a glance - **Vendor**: mageplaza (https://packagento.com/mageplaza.md) - **Latest version**: 4.0.5 — released 2025-03-25 - **Pricing**: Free - **Package type**: Magento 2 module - **Status**: active, accepting new buyers ## Installation Packagento is licence-gated, so even free packages need a licence on a project before Composer can resolve them. 1. **Sign in or create an account** at https://packagento.com/customer/account/. 2. **Add the package to your account.** Open https://packagento.com/mageplaza/module-two-factor-authentication and complete the free checkout. A licence is minted automatically. 3. **Create or pick a project, then activate the licence on it.** - Projects represent the Magento installs you deploy to. Manage them at https://packagento.com/projects/. - Activate the new licence on the project you'll deploy this package to. Activation is what generates the Composer credentials scoped to that project. 4. **Add the project credentials to your Magento codebase.** Grab the project's public + private key from https://packagento.com/projects/ (open the project, then its Credentials tab), and add them to `auth.json`: ```json { "http-basic": { "packagento.com": { "username": "ppk_live_...", "password": "psk_live_..." } } } ``` Add the Packagento Composer repository to `composer.json`: ```json { "repositories": [ { "type": "composer", "url": "https://packagento.com" } ] } ``` 5. **Install and apply.** ```bash composer require mageplaza/module-two-factor-authentication:* bin/magento setup:upgrade bin/magento setup:di:compile bin/magento cache:flush ``` ## What it does Magento 2 Two Factors Authentication Extension ## README [Magento 2 Two-Factor Authentication](http://www.mageplaza.com/magento-2-two-factor-authentication/) from Mageplaza is built to ensure the highest security for your Magento 2 stores. The extension can force using 2FA or auto skip 2FA request for trusted devices. Mobile compatibility is also supported in this module. ### 1. Documentation - [Installation guide](https://www.mageplaza.com/install-magento-2-extension/) - [User guide](https://docs.mageplaza.com/two-factor-authentication/index.html) - [Introduction page](http://www.mageplaza.com/magento-2-two-factor-authentication/) - [Contribute on Github](https://github.com/mageplaza/magento-2-two-factor-authentication) - [Get Support](https://github.com/mageplaza/magento-2-two-factor-authentication/issues) ### 2. FAQ **Q: I got error: Mageplaza_Core has been already defined** A: Read solution [here](https://github.com/mageplaza/module-core/issues/3) **Q: How many steps admin has to pass to access admin data?** A: There are two steps. The first is simple with username and password, the second is authentication code provided by the mobile authentication app **Q: Which apps can I use for 2FA?** A: We recommend you use Authy and Google Authentication for the best result. **Q: If I do not want to be required 2FA the next time, how can I do?** A: You can do by enabling the trusted device function and set the trusted time by days. Then, in the first login, click on Trust this device for x days. It can be done properly. **Q: I am a store owner. Our store has many admins. How can I set 2FA for specific accounts only?** A: Kindly follow this guide. Firstly, turn off Forcing to use 2FA function. Then the admin accounts which is not set as a trusted device and turn on 2FA will have to use 2FA. **Q: Can I know the list of trusted device and remove any accounts if any changes require?** A: Yes, you can easily see from admin backend and click on remove button to do any removing accounts. ### 3. How to install Two-Factor Authentication extension for Magento 2 Install via composer (recommend): Run the following command in Magento 2 root folder: With Marketing Automation (recommend): ``` composer require mageplaza/module-two-factor-authentication php bin/magento setup:upgrade php bin/magento setup:static-content:deploy ``` Without Marketing Automation: ``` composer require mageplaza/module-two-factor-authentication php bin/magento setup:upgrade php bin/magento setup:static-content:deploy ``` For versions below Magento version 2.4.0, it requires to install the library of bacon-qr-code via composer by the following command ``` composer require bacon/bacon-qr-code ``` ### 4. Highlight Features of Magento 2 Two Factor Authentication #### Two steps to access ![Two steps to access](https://i.imgur.com/8qZZicH.png) ##### Forcing to use Two-factor authentication [Magento 2 Two Factor Authentication](https://marketplace.magento.com/mageplaza-module-two-factors-authentication.html) (2FA) supports backend store data to be better protected with two steps of verification. If forcing feature is enable, admins are required to set up two-factor authentication before they have the ability to access all data from backend panel. ##### Support from mobile authentication apps To activate two-factor authentication, the support from mobile authentication apps is needed. Admins need to download apps such as Authy, Duo, Google Authentication. After registering authenticator accounts by scanning QR code or manually entering the provided key, the app will create a unique verification code which is used to confirm the admin account. #### No requirement if being trusted ![Magento 2 Two Factor Authentication](https://i.imgur.com/NRYkNWv.png) ##### Activate trusted device function, set trusted time To save time for trusted admin accounts after the first time login, Trusted device function is supported. After this feature is configured well, via a click to require trust for next login, the device will be listed to trusted list and not be required authentication code in a specific time. ##### Quick login without authentication code in the next login As a result, after the first time confirming the account successfully, as long as within the trusted time, the second verification is not required for the next login times. With this feature, it is time-saving for key store admins whose accounts are believed to be reliable. #### Trusted device list ![Magento 2 Two Factor Authentication](https://i.imgur.com/BTCvGnz.png) It is easy to manage all trusted verified admin roles by the Trusted Device list. The information of logged users are recorded clearly with the following details: - Device Name - IP address - Address - Last login time Besides, super admin or store owners can easily remove any admin accounts from the trusted device in case there is any account updates. Therefore, admin panel can be protected well from the ill-intentioned access. ### 5. More Features of Magento 2 2FA #### Force Using 2FA Enable/ Disable requiring users to register 2FA #### Trusted Time Set trusted time for user accounts by days #### Mobile friendly Be well responsive to mobiles, desktop, tablets, and other screen sizes. ### 6. Full Features List #### General Configuration - Enable/ Disable the extension - Force admins to use 2FA - Enable/ Disable Trusted Device - Set trusted time by days #### Admin account setting 2FA - Setting account information: User name, Email, password - Enable/ Disable 2FA for the account - Input confirmation code from the authentication app - Use a unique authentication code for each time login - Click on trust this device when login to save second authentication confirmation for a specific days - View Trusted Device list - Remove an admin account from the Trusted Device list ### 7. Magen _(README truncated for .md surface. Full README on https://packagento.com/mageplaza/module-two-factor-authentication.)_ ## Changelog CHANGELOG: https://www.mageplaza.com/releases/two-factor-authentication ## Recent Versions | Version | Released | |---|---| | 4.0.5 | 2025-03-25 | | 4.0.4 | 2022-11-08 | | 4.0.3 | 2022-06-01 | | 1.1.3 | 2022-06-01 | | 1.1.2 | 2021-08-16 | | 4.0.2 | 2021-08-16 | | 4.0.1 | 2021-05-05 | | 4.0.0 | 2020-09-09 | | 1.1.1 | 2020-05-28 | | 1.1.0 | 2019-12-10 | Showing 10 of 14 versions. Full release history on https://packagento.com/mageplaza/module-two-factor-authentication. ## Dependencies ### Require | Package | Constraint | |---|---| | mageplaza/module-core | ^1.5.12 | | sinergi/browser-detector | * | | sonata-project/google-authenticator | ^2.3.0 | ## Quality Latest release (4.0.5) fails the Packagento QA pipeline. Verdicts below are per-cell (Magento line × PHP version) for the matrixed tools, and run-once for the static / security tiers. ### Compatibility Each Magento line is installed on its supported PHP versions, then the module is built (DI compile + static-content deploy). Cells show passed / failed / untested; staircase gaps render as `–`. | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | Pass | Pass | – | – | | 2.4.8 | – | Pass | Pass | – | | 2.4.9 | – | – | 1 | 1 | ### Code Quality Advisory checks against the module's source. Never affect the Compatibility verdict — a phpcs finding can't make a module incompatible. #### Static Analysis Coding standards (phpcs), mess detection (phpmd), copy-pasted code (cpd), PHP cross-version compatibility, composer.json validity. Each runs once for the whole module. | Tool | Status | Findings | Summary | |---|---|---|---| | PHPCS | Fail | 64 | 1 error, 63 warnings (ruleset: Magento2) — 51 auto-fixable with phpcbf | | PHPMD | Warning | 9 | 9 rule violations (IfStatementAssignment:4, MissingImport:2, ExcessiveParameterList:1, CyclomaticComplexity:1, NPathComplexity:1) | | Cpd | Pass | 0 | | | Composer validate | Info | 2 | valid; 2 advisory notes (composer validate --strict) | #### PHPStan Type-checks the module against a real Magento install. Re-runs per Magento + PHP version because resolvable symbols differ between releases. | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | 58 | 58 | – | – | | 2.4.8 | – | 58 | 58 | – | | 2.4.9 | – | – | 56 | 56 | ### Tests Unit and integration suites run per Magento + PHP cell. Test failures speak to the module's behaviour, not its compatibility with a line, so they're reported here separately. #### Unit Tests | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | N/A | N/A | – | – | | 2.4.8 | – | N/A | N/A | – | | 2.4.9 | – | – | N/A | N/A | #### Integration Tests | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | N/A | N/A | – | – | | 2.4.8 | – | N/A | N/A | – | | 2.4.9 | – | – | N/A | N/A | ### Security Dependency-advisory audit (composer audit) plus a source malware scan. A malware detection fails the version outright. | Tool | Status | Findings | Summary | |---|---|---|---| | Composer audit | Pass | 0 | | | Malware scan | Pass | 0 | | ## Licence and pricing Free. A licence is still minted on checkout and bound to your project for Composer access — no payment step. Refundable within 14 days of first purchase via https://packagento.com/account/refunds/. ## Install via Claude Code or any MCP client The Packagento MCP server can run the licence + project + Composer steps above in one tool call: ``` purchase_and_install_packages( composer_names=["mageplaza/module-two-factor-authentication"], project_id="proj_xxx" ) ``` This handles cart, checkout, licence minting, project activation, and writes auth.json credentials. Connect a client with `claude mcp add packagento https://mcp.packagento.com`. Full setup at https://packagento.com/docs/mcp-setup. ## Vendor mageplaza is a Magento 2 vendor on Packagento. See https://packagento.com/mageplaza.md for their full catalogue.