# swissup/module-tfa

`composer require swissup/module-tfa`

Canonical URL: https://packagento.com/swissup/module-tfa

## At a glance

- **Vendor**: swissup (https://packagento.com/swissup.md)
- **Latest version**: 0.2.8 — released 2026-05-15
- **Pricing**: Free
- **Package type**: Magento 2 module
- **Status**: active, accepting new buyers

## Installation

Packagento is licence-gated, so even free packages need a licence on a project before Composer can resolve them.

1. **Sign in or create an account** at https://packagento.com/customer/account/.

2. **Add the package to your account.** Open https://packagento.com/swissup/module-tfa and complete the free checkout. A licence is minted automatically.

3. **Create or pick a project, then activate the licence on it.**
   - Projects represent the Magento installs you deploy to. Manage them at https://packagento.com/projects/.
   - Activate the new licence on the project you'll deploy this package to. Activation is what generates the Composer credentials scoped to that project.

4. **Add the project credentials to your Magento codebase.**

   Grab the project's public + private key from https://packagento.com/projects/ (open the project, then its Credentials tab), and add them to `auth.json`:

   ```json
   {
     "http-basic": {
       "packagento.com": {
         "username": "ppk_live_...",
         "password": "psk_live_..."
       }
     }
   }
   ```

   Add the Packagento Composer repository to `composer.json`:

   ```json
   {
     "repositories": [
       { "type": "composer", "url": "https://packagento.com" }
     ]
   }
   ```

5. **Install and apply.**

   ```bash
   composer require swissup/module-tfa:*
   bin/magento setup:upgrade
   bin/magento setup:di:compile
   bin/magento cache:flush
   ```

## README

Two Factor Authentication Extension for Magento 2

![2018-05-25 17-16-11](https://user-images.githubusercontent.com/412612/40549148-6518bfe8-603f-11e8-9182-7fb5e2d53a1f.png)

##### Server Time
It's extremely important that you keep your server time in sync with some NTP server.

#### Installation

##### For clients

There are several ways to install extension for clients:

 1. If you've bought the product at Magento's Marketplace - use
    [Marketplace installation instructions](https://docs.magento.com/marketplace/user_guide/buyers/install-extension.html)
 2. Otherwise, you have two options:
    - Install the sources directly from [our repository](https://docs.swissuplabs.com/m2/extensions/improvedadminsecurity/installation/composer/) - **recommended**
    - Download archive and use [manual installation](https://docs.swissuplabs.com/m2/extensions/improvedadminsecurity/installation/manual/)

##### For developers

Use this approach if you have access to our private repositories!

Run the following commands:
```bash
cd <magento_root>
composer config repositories.swissup composer https://docs.swissuplabs.com/packages/
composer require swissup/tfa --prefer-source --ignore-platform-reqs
bin/magento module:enable Swissup_Core Swissup_Tfa
bin/magento setup:upgrade
```

![2018-05-25 17-15-34](https://user-images.githubusercontent.com/412612/40549149-65439a1a-603f-11e8-950c-106fbf7590b1.png)

* TFA must be enabled by the individual user by clicking 'Account Setting(user)' in the Magento 2 admin panel.
* Once there, the user is able to enable the two factor authentication and view the QR code for a Google Authenticator compatible application.
* Users with TFA enabled will not be able to log into the admin panel without a valid authentication code input on the Magento 2 admin login page.
* Users with TFA disabled can leave the 'Authenticator Code' field blank during login.

#### Activating the extension

* Open your admin user account settins at `System > Permisions > All Users >
Your User > Tab "Two Factor Authentication"`

* Scan QR code with Google Authenticator application using your smartphone.

* Insert the key you've got on your mobile device into the verification key field.

* That's all. You've enabled the protection for that admin user. Try logout
and login with verification key. Please notice that key is got refreshed every
30 seconds. In case you have not enabled the protection for some users, the
verification key will be ignored for those users.

#### Google Authenticator Apps:

To use the two factor authentication, your user will have to install a Google Authenticator compatible app, those are some of the currently available:

* [Authy for iOS, Android, Chrome, OS X](https://www.authy.com/)
* [FreeOTP for iOS, Android and Pebble](https://apps.getpebble.com/en_US/application/52f1a4c3c4117252f9000bb8)
* [Google Authenticator for iOS](https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8)
* [Google Authenticator for Android](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2)
* [Google Authenticator (port) on Windows Store](https://www.microsoft.com/en-us/store/p/google-authenticator/9wzdncrdnkrf)
* [Microsoft Authenticator for Windows Phone](https://www.microsoft.com/en-us/store/apps/authenticator/9wzdncrfj3rj)
* [LastPass Authenticator for iOS, Android, OS X, Windows](https://lastpass.com/auth/)
* [1Password for iOS, Android, OS X, Windows](https://1password.com)

### Console Commands
TFA can be disabled using console commands if needed:
###### List TFA status For All Admin Users
```bash
php bin/magento swissup:tfa:list
```
###### Disable TFA For Single Admin User (by email)
```bash
php bin/magento swissup:tfa:disable admin@example.com
```

## Recent Versions

| Version | Released |
|---|---|
| 0.2.8 | 2026-05-15 |
| 0.2.7 | 2025-04-11 |
| 0.2.6 | 2022-09-13 |
| 0.2.5 | 2022-08-23 |
| 0.2.4 | 2022-08-15 |
| 0.2.3 | 2022-08-12 |
| 0.2.2 | 2020-07-30 |
| 0.2.1 | 2019-11-15 |
| 0.2.0 | 2018-09-26 |
| 0.1.1 | 2018-06-21 |

Showing 10 of 11 versions. Full release history on https://packagento.com/swissup/module-tfa.

## Dependencies

### Require

| Package | Constraint |
|---|---|
| bacon/bacon-qr-code | ^1.0.0\|^2.0.0\|^3.0.0 |
| pragmarx/google2fa-qrcode | ^3.0 |
| swissup/module-core | ^1.12.27 |

## Quality

Latest release (0.2.8) fails the Packagento QA pipeline. Verdicts below are per-cell (Magento line × PHP version) for the matrixed tools, and run-once for the static / security tiers.


### Compatibility

Each Magento line is installed on its supported PHP versions, then the module is built (DI compile + static-content deploy). Cells show passed / failed / untested; staircase gaps render as `–`.

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | Pass | Pass | – | – |
| 2.4.8 | – | Pass | Pass | – |
| 2.4.9 | – | – | Pass | Pass |


### Code Quality

Advisory checks against the module's source. Never affect the Compatibility verdict — a phpcs finding can't make a module incompatible.

#### Static Analysis

Coding standards (phpcs), mess detection (phpmd), copy-pasted code (cpd), PHP cross-version compatibility, composer.json validity. Each runs once for the whole module.

| Tool | Status | Findings | Summary |
|---|---|---|---|
| PHPCS | Warning | 17 | 17 warnings (ruleset: Magento2) — 4 auto-fixable with phpcbf |
| PHPMD | Warning | 5 | 5 rule violations (MissingImport:3, UnusedFormalParameter:1, UnusedLocalVariable:1) |
| Cpd | Pass | 0 |  |
| Composer validate | Info | 1 | valid; 1 advisory note (composer validate --strict) |

#### PHPStan

Type-checks the module against a real Magento install. Re-runs per Magento + PHP version because resolvable symbols differ between releases.

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | 42 | 42 | – | – |
| 2.4.8 | – | 42 | 42 | – |
| 2.4.9 | – | – | 42 | 42 |


### Tests

Unit and integration suites run per Magento + PHP cell. Test failures speak to the module's behaviour, not its compatibility with a line, so they're reported here separately.

#### Unit Tests

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | N/A | N/A | – | – |
| 2.4.8 | – | N/A | N/A | – |
| 2.4.9 | – | – | N/A | N/A |

#### Integration Tests

| Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 |
|---|---|---|---|---|
| 2.4.7 | N/A | N/A | – | – |
| 2.4.8 | – | N/A | N/A | – |
| 2.4.9 | – | – | N/A | N/A |


### Security

Dependency-advisory audit (composer audit) plus a source malware scan. A malware detection fails the version outright.

| Tool | Status | Findings | Summary |
|---|---|---|---|
| Composer audit | Pass | 0 |  |
| Malware scan | Pass | 0 |  |

## Licence and pricing

Free. A licence is still minted on checkout and bound to your project for Composer access — no payment step.

Refundable within 14 days of first purchase via https://packagento.com/account/refunds/.

## Install via Claude Code or any MCP client

The Packagento MCP server can run the licence + project + Composer steps above in one tool call:

```
purchase_and_install_packages(
  composer_names=["swissup/module-tfa"],
  project_id="proj_xxx"
)
```

This handles cart, checkout, licence minting, project activation, and writes auth.json credentials. Connect a client with `claude mcp add packagento https://mcp.packagento.com`. Full setup at https://packagento.com/docs/mcp-setup.

## Vendor

swissup is a Magento 2 vendor on Packagento. See https://packagento.com/swissup.md for their full catalogue.