# markshust/magento2-module-disabletwofactorauth

> The DisableTwoFactorAuth module provides the ability to disable two-factor authentication.

`composer require markshust/magento2-module-disabletwofactorauth`

Canonical URL: https://packagento.com/markshust/magento2-module-disabletwofactorauth

## At a glance

- **Vendor**: markshust (https://packagento.com/markshust.md)
- **Latest version**: 2.0.2 — released 2024-11-05
- **Pricing**: Free
- **Package type**: Magento 2 module
- **Status**: active, accepting new buyers

## Installation

Packagento is licence-gated, so even free packages need a licence on a project before Composer can resolve them.

1. **Sign in or create an account** at https://packagento.com/customer/account/.

2. **Add the package to your account.** Open https://packagento.com/markshust/magento2-module-disabletwofactorauth and complete the free checkout. A licence is minted automatically.

3. **Create or pick a project, then activate the licence on it.**
   - Projects represent the Magento installs you deploy to. Manage them at https://packagento.com/projects/.
   - Activate the new licence on the project you'll deploy this package to. Activation is what generates the Composer credentials scoped to that project.

4. **Add the project credentials to your Magento codebase.**

   Grab the project's public + private key from https://packagento.com/projects/ (open the project, then its Credentials tab), and add them to `auth.json`:

   ```json
   {
     "http-basic": {
       "packagento.com": {
         "username": "ppk_live_...",
         "password": "psk_live_..."
       }
     }
   }
   ```

   Add the Packagento Composer repository to `composer.json`:

   ```json
   {
     "repositories": [
       { "type": "composer", "url": "https://packagento.com" }
     ]
   }
   ```

5. **Install and apply.**

   ```bash
   composer require markshust/magento2-module-disabletwofactorauth:*
   bin/magento setup:upgrade
   bin/magento setup:di:compile
   bin/magento cache:flush
   ```

## What it does

The DisableTwoFactorAuth module provides the ability to disable two-factor authentication.

## README

<h1 align="center">MarkShust_DisableTwoFactorAuth</h1> 

<div align="center">
  <p>Provides the ability to disable two-factor authentication.</p>
  <img src="https://img.shields.io/badge/magento-2.4.0%E2%80%932.4.7+-brightgreen.svg?logo=magento&longCache=true&style=flat-square" alt="Supported Magento Versions" />
  <a href="https://packagist.org/packages/markshust/magento2-module-disabletwofactorauth" target="_blank"><img src="https://img.shields.io/packagist/v/markshust/magento2-module-disabletwofactorauth.svg?style=flat-square" alt="Latest Stable Version" /></a>
  <a href="https://packagist.org/packages/markshust/magento2-module-disabletwofactorauth" target="_blank"><img src="https://poser.pugx.org/markshust/magento2-module-disabletwofactorauth/downloads" alt="Composer Downloads" /></a>
  <a href="https://GitHub.com/Naereen/StrapDown.js/graphs/commit-activity" target="_blank"><img src="https://img.shields.io/badge/maintained%3F-yes-brightgreen.svg?style=flat-square" alt="Maintained - Yes" /></a>
  <a href="https://opensource.org/licenses/MIT" target="_blank"><img src="https://img.shields.io/badge/license-MIT-blue.svg" /></a>
</div>

### Table of contents

- [Summary](#summary)
- [Why](#why)
- [Installation](#installation)
- [Usage](#usage)
- [Credits](#credits)
- [License](#license)

### Summary

With the release of Magento 2.4, two-factor authentication (also known as 2FA) became enabled by default, with no
ability to disable it in either the admin or console. However, there are situations which may require 2FA to be disabled
or temporarily turned off, such as within development or testing environments.

This module automatically disables 2FA while in developer mode (since version 2.0.0), and adds the missing toggle to turn 2FA on or off from the admin for other environments. It does this by hooking into the core code in
a very seamless manner, just as would be done if this toggle existed in the core code. Installing this module should not
open any security holes, as it just works off of a simple config toggle which, if not present, falls back to the default
functionality.

You can also toggle 2FA back on while in developer mode, if you need to test your code functionality while 2FA is enabled.
 
![Demo](https://raw.githubusercontent.com/markshust/magento2-module-disabletwofactorauth/master/docs/demo-2021-11-10.png)

### Why

Why should you use this module? I hear all of the time that you can just disable Magento's 2FA module. There is a large inherent issue with doing this though.

When you disable a module, it updates the `app/etc/config.php` file with the removed module, which will eventually make its way upstream (accidentally committed to version control or unintendedly leaving your development environment). This will disable 2FA on staging/production, which is a big security concern. This module resolves this because you can keep it installed & enabled on dev/stage/prod, but control whether or not 2FA is enabled or disabled with configuration settings or environment variables. This means you can have it permanently disabled on dev, but have it permanently enabled in all other environments, all while keeping this module installed in all environments.

### Installation

```
composer require --dev markshust/magento2-module-disabletwofactorauth
bin/magento module:enable MarkShust_DisableTwoFactorAuth
bin/magento setup:upgrade
```

### Usage

This module automatically disables 2FA in developer mode (since version 2.0.0). In any other deployment mode, 2FA is kept enabled by default. This is to prevent any unexpected side effects or security loopholes from
being introduced during automated installation processes.

It is highly recommended to install this module as a dev dependency to avoid security warning reports from either Adobe Commerce or other production environments which run security checks. This can be done either by passing in the `--dev` flag when installing it with Composer, or by adding it to the `require-dev` property of your `composer.json` file.

#### Disable 2FA

It may still be desirable to disable 2FA in non-production environments, such as within testing or internal staging environments. For these cases, 2FA is not automatically disabled. However, there are toggles to override the default Magento settings to disable 2FA within these environments.

You can also bypass 2FA for API token generation. This can be useful for third-party vendors during module development.

*NOTE: Always keep 2FA enabled within production environments for security purposes.*

##### 2FA

To disable 2FA, visit **Admin > Stores > Settings > Configuration > Security > 2FA** and set *Enable 2FA* to **No**.

CLI: `bin/magento config:set twofactorauth/general/enable 0`

##### 2FA for API Token Generation

To disable 2FA for API Token Generation, visit **Admin > Stores > Settings > Configuration > Security > 2FA** and set *Enable 2FA for API Token Generation* to **No**.

CLI: `bin/magento config:set twofactorauth/general/enable_for_api_token_generation 0`

#### Enable 2FA in developer mode

This module automatically disables 2FA while developer mode is enabled, but there may be situations when you need 2FA enabled during development. Rather than needing to disable this module, you can just disable this configuration setting in the admin.

To enable 2FA while in developer mode, visit **Admin > Stores > Settings > Configuration > Security > 2FA** and set *Disable 2FA in Developer Mode* to **No**.

CLI: `bin/magento config:set twofactorauth/general/disable_in_developer_mode 0`

### Credits

#### M.academy

This course is sponsored by <a href="https://m.academy/" target="_blank">M.academy</a>, the simplest way to master Magento development.

<a href="https://m.academy/" target="_blank"><img src="docs/macademy-logo-200x60.png" alt="M.academy"></a>

#### Mark Shust

_(README truncated for .md surface. Full README on https://packagento.com/markshust/magento2-module-disabletwofactorauth.)_

## Changelog

All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).

### [2.0.2] - 2024-11-05

#### Added
- Added PHPStan level 9 support by improving type hints ([#27](https://github.com/markshust/magento2-module-disabletwofactorauth/pull/27))
- Added keywords to composer.json for better package discovery

#### Updated
- Updated installation instructions to recommend using `--dev` flag with composer
- Made package explicitly development-focused to avoid Adobe Commerce security warnings ([#28](https://github.com/markshust/magento2-module-disabletwofactorauth/pull/28))
- Updated badge icon with support for newer versions of Magento

#### Fixed
- Fixed issue where 2FA could remain enabled for API token generation when main 2FA was disabled ([#29](https://github.com/markshust/magento2-module-disabletwofactorauth/pull/29))

### [2.0.1] - 2022-10-24

#### Fixed
- Fix compatibility with MFTF 3.10.0 ([#16](https://github.com/markshust/magento2-module-disabletwofactorauth/pull/16))

### [2.0.0] - 2021-11-10

This is a potentially breaking release, as it changes the overall functionality when Magento is in `developer` mode. A new "Disable 2FA in Developer Mode" system configuration has been created, which is a Yes/No toggle. By default, it is set to Yes so that 2FA is automatically disabled when a Magento site is in `developer` mode. When this is set to No, the two other 2FA configuration dropdowns set the configuration for 2FA. When not in `developer` mode, this toggle has no effect.

#### Added
- Add ability to automatically disable 2FA when in developer mode ([#13](https://github.com/markshust/magento2-module-disabletwofactorauth/pull/13)).

### [1.1.4] - 2021-02-22

#### Fixed
- Removed newline character from MFTF config:show bool cast ([#10](https://github.com/markshust/magento2-module-disabletwofactorauth/pull/10)).

### [1.1.3] - 2020-01-18

#### Fixed
- Fixed composer.json version, re-tagging to redeploy to packagist.

### [1.1.2] - 2020-01-18

#### Added
- Added test rewrite to MFTF to get core tests to pass when 2FA is disabled ([#5](https://github.com/markshust/magento2-module-disabletwofactorauth/pull/5)).

### [1.1.1] - 2020-01-13

#### Fixed
- Removed typed properties for PHP 7.3 support ([#6](https://github.com/markshust/magento2-module-disabletwofactorauth/issues/6)).

### [1.1.0] - 2020-01-12

#### Added
- Support to disable 2FA for API token generation ([#1](https://github.com/markshust/magento2-module-disabletwofactorauth/issues/1)).

#### Updated
- Updated docblocks and other minor formatting issues.
- Updated REAMDE to make it more explicit not to disable 2FA within production environments.

### [1.0.0] - 2020-08-10

#### Added
- Initial release.

## Recent Versions

| Version | Released |
|---|---|
| 2.0.2 | 2024-11-05 |
| 2.0.1 | 2022-10-24 |
| 2.0.0 | 2021-11-10 |
| 1.1.4 | 2021-02-22 |
| 1.1.3 | 2021-01-18 |
| 1.1.2 | 2021-01-18 |
| 1.1.1 | 2021-01-13 |
| 1.1.0 | 2021-01-12 |
| 1.0.0 | 2020-08-10 |

## Dependencies

### Require

| Package | Constraint |
|---|---|
| magento/framework | ^103 |
| php | ^7\|\|^8 |

## Quality

Latest release (2.0.2) passes the Packagento QA pipeline. Verdicts below are per-cell (Magento line × PHP version) for the matrixed tools, and run-once for the static / security tiers.


### Compatibility

Each Magento line is installed on its supported PHP versions, then the module is built (DI compile + static-content deploy). Cells show passed / failed / untested; staircase gaps render as `–`.

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | Pass | Pass | – | – |
| 2.4.8 | – | Pass | Pass | – |
| 2.4.9 | – | – | Pass | Pass |


### Code Quality

Advisory checks against the module's source. Never affect the Compatibility verdict — a phpcs finding can't make a module incompatible.

#### Static Analysis

Coding standards (phpcs), mess detection (phpmd), copy-pasted code (cpd), PHP cross-version compatibility, composer.json validity. Each runs once for the whole module.

| Tool | Status | Findings | Summary |
|---|---|---|---|
| PHPCS | Warning | 10 | 10 warnings (ruleset: Magento2) — 5 auto-fixable with phpcbf |
| PHPMD | Warning | 2 | 2 rule violations (UnusedFormalParameter:2) |
| Cpd | Pass | 0 |  |
| Composer validate | Info | 1 | valid; 1 advisory note (composer validate --strict) |

#### PHPStan

Type-checks the module against a real Magento install. Re-runs per Magento + PHP version because resolvable symbols differ between releases.

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | Pass | Pass | – | – |
| 2.4.8 | – | Pass | Pass | – |
| 2.4.9 | – | – | Pass | Pass |


### Tests

Unit and integration suites run per Magento + PHP cell. Test failures speak to the module's behaviour, not its compatibility with a line, so they're reported here separately.

#### Unit Tests

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | N/A | N/A | – | – |
| 2.4.8 | – | N/A | N/A | – |
| 2.4.9 | – | – | N/A | N/A |

#### Integration Tests

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | N/A | N/A | – | – |
| 2.4.8 | – | N/A | N/A | – |
| 2.4.9 | – | – | N/A | N/A |


### Security

Dependency-advisory audit (composer audit) plus a source malware scan. A malware detection fails the version outright.

| Tool | Status | Findings | Summary |
|---|---|---|---|
| Composer audit | Pass | 0 |  |
| Malware scan | Pass | 0 |  |

## Licence and pricing

Free. A licence is still minted on checkout and bound to your project for Composer access — no payment step.

Refundable within 14 days of first purchase via https://packagento.com/account/refunds/.

## Install via Claude Code or any MCP client

The Packagento MCP server can run the licence + project + Composer steps above in one tool call:

```
purchase_and_install_packages(
  composer_names=["markshust/magento2-module-disabletwofactorauth"],
  project_id="proj_xxx"
)
```

This handles cart, checkout, licence minting, project activation, and writes auth.json credentials. Connect a client with `claude mcp add packagento https://mcp.packagento.com`. Full setup at https://packagento.com/docs/mcp-setup.

## Vendor

markshust is a Magento 2 vendor on Packagento. See https://packagento.com/markshust.md for their full catalogue.

