Magento-2-Security

Magento 2 Security: Protect Your Site with 2FA and ReCaptcha in Mind

Posted by

There are many ways to enhance Magento 2 security, thereby keeping your Ecommerce websites from any risks. Two of them are Two-Factor Authentication (2FA) and Google ReCaptcha. Magento 2FA adds two-step authentication for multiple providers. If users are enabled when attempting to access the Admin, they must complete a second step to verify their account. 

Meanwhile, Google ReCaptcha ensures that a human being, rather than a computer, is interacting with the site. It provides enhanced security over Magento CAPTCHA, carries out checks leaving no potential errors, and boosts cart conversion without extra hurdles in the purchasing process.

In this article, we go through some steps to enhance your Magento 2 security with 2FA and ReCaptcha. In other words, we study how to configure these two features in your site by step-by-step guidance. Let’s begin!

Two-Factor Authentication

Step 1: 2FA General Settings

Enable 2FA and Supported Providers

Enable2FA-magento-2-security

  1. Set Enable Two Factor Auth to Yes.
  2. In the section Force Provider, select the authenticators you require for all users. Enable and configure each authentication provider that you support. When complete, click Save Config.
    • Google Authenticator
      google-authenticator-magento-2-security– Set Enable this provider to Yes
      Set Enable “trust this device” option to Yes (then users do not need type the authenticator code for every login per device) or No (vice versa).
    • U2F Devices (Yubikey and others)
      u2f-devices-magento-2-security
      Set Enable this provider to Yes.
      Set Enable “trust this device” option to Yes (then users do not need type the authenticator code for every login per device) or No (vice versa).
    • Duo Security
      duo-security-magento-security
      Set Enable this provider to Yes.
      Set Enable “trust this device” option to Yes (then users do not need type the authenticator code for every login per device) or No (vice versa).
      Enter your Integration key, Secret key and API hostname.
    • Authy
      authy-magento-security
      Set Enable this provider to Yes.
      Type the API key for your Authy account
      – Set Enable “trust this device” option to Yes (then users do not need type the authenticator code for every login per device) or No (vice versa).
      Untick the Use system value checkbox to enter the messages in OneTouch Message.

Step 2: Configure Required Authenticator Provider

At least one authenticator supported per user account must be chosen, or an authenticator globally forced for every account. If you want to select multiple authenticators, the user must input tokens for all selections.

1/ Set required authenticators per user account.
enable-2fa-for-users-magento-security

  • On the Admin sidebar: Stores > Settings > All Users; choose Select and edit a user from the list or Add a new user account.
  • Click 2FA in the User Information menu
  • Tick the checkbox of the authenticator you want to ask for the user account.
  • Save User to complete.

2/ Force global authenticator for all accounts.enable-2-factor-auth-magento-security

  • On the Admin sidebar: Stores > Settings > Configuration
  • Expand Security and choose 2FA; do the following:
    – Untick Use system value in the General section.
    – Select one or more authenticators.
  • Save Config to complete.

Google ReCaptcha

1/ On the Admin sidebar: Stores > Settings > Configuration.

2/ In the upper-left corner: Set Store View to Default Config.

3/ Expand Security in the left panner and select Google reCAPTCHA.

4/ Expand the General section and type Google API website key and Google API secret key.

google-api-key-magento-2-security

5/ Expand the Backend section and set the options. 

backend-magento-security

You can untick the Use system value checkbox to change the setting:

    • Set Enable to Yes
    • Select Light or Dark Theme
    • Select Normal or Compact Size

6/ Expand the Frontend section and add Google reCAPTCHA to customer accounts.

frontend-magento-security

You can untick the Use system value checkbox to change the setting:

  • Set Enable to Yes
  • reCAPTCHA type — Decide the type you want to be used in Admin forms. You must add the correct API keys for the type.
  • reCAPTCHA v2 validates with the “I’m not a robot” checkbox.
  • Invisible reCAPTCHA (recommended) validates in the background without requiring user interactions.
  • Select Light or Dark Theme
  • Select Normal or Compact Size
  • Select where the CAPTCHA is used. reCAPTCHA is by default enabled for some pages which are Use in Login, Use in Forgot password, Use in Create user, Use in Contact, Use in PayPal PayflowPro payment form.

7/ Save Config to complete.

Conclusion

All in all, Two-Factor Authentication and ReCaptcha with their brilliant features are something that cannot be missed. Two of them entail complicated sections that may be hard to understand. In this tutorial, we walk you through such complex steps to configure them with ease.

We hope that after the tutorial, all your issues are adequately addressed. If you have any further suggestions or questions, feel free to share them with us in the comment section below. Thank you for reading!

If you’d like to learn more about Magento instruction, news or updates, click here.

Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *