Configuring two-factor authentication (2FA)
Using two-factor authentication (2FA) with the Functional Testing Framework is possible with some configurations settings in Magento. In this document, we will use Google as the authentication provider.
Configure Magento
To prepare Adobe Commerce or Magento Open Source for testing when 2FA is enabled, set the following configurations through the Adobe Commerce or Magento Open Source CLI.
First, select Google Authenticator as Magento's 2FA provider:
Copied to your clipboardbin/magento config:set twofactorauth/general/force_providers google
Now set the OTP window to 29:
In 2.4.7 and later, the OTP window configuration setting controls how long (in seconds) the system accepts an administrator's one-time-password (OTP) after it has expired. This value must be less than 30 seconds. The system default is 1.
Copied to your clipboardbin/magento config:set twofactorauth/google/otp_window 29
Set a base32-encoded secret for Google Authenticator to generate a OTP for the default admin user that you set for MAGENTO_ADMIN_USERNAME in .env:
Copied to your clipboardbin/magento security:tfa:google:set-secret <MAGENTO_ADMIN_USERNAME> <OTP_SHARED_SECRET>
Configure the MFTF
Save the same base32-encoded secret in the Functional Testing Framework credential storage, e.g. .credentials file, HashiCorp Vault or AWS Secrets Manager.
More details are here.
The path of the secret should be:
Copied to your clipboardmagento/tfa/OTP_SHARED_SECRET
GetOTP
A one-time password (OTP) is required when an admin user logs into the Admin.
Use the action getOTP Reference to generate the code and use it for the Authenticator code text field in 2FA - Google Auth page.
Note:
You will need to set the secret for any non-default admin users first, before using getOTP. For example:
Copied to your clipboard<magentoCLI command="security:tfa:google:set-secret admin2 {{_CREDS.magento/tfa/OTP_SHARED_SECRET}}" stepKey="setSecret"/>
