From 6ef98191eb15ced1363b3c2b77ab62bca4d0aeeb Mon Sep 17 00:00:00 2001 From: Claire Condra Date: Wed, 10 Jun 2020 09:45:30 -0700 Subject: [PATCH 1/5] Review feedback Applied corrections from review; made misc edits for consistency. --- .../security/two-factor-authentication.md | 90 +++++++++++++------ 1 file changed, 65 insertions(+), 25 deletions(-) diff --git a/src/guides/v2.3/security/two-factor-authentication.md b/src/guides/v2.3/security/two-factor-authentication.md index e8e6e033552..531dfa02d50 100644 --- a/src/guides/v2.3/security/two-factor-authentication.md +++ b/src/guides/v2.3/security/two-factor-authentication.md @@ -5,7 +5,7 @@ functional_areas: - Configuration --- -Magento Two-Factor Authentication (2FA) improves security by requiring two-step authentication to access the Magento Admin for all users and from all devices. The extension supports multiple authenticators including Google Authenticator, Authy, Duo, and U2F keys. 2FA is enabled by default for all Magento Admin users, and cannot be disabled from the Magento Admin or from the command line. 2FA is not available for storefront customer accounts. +Magento Two-Factor Authentication (2FA) improves security by requiring two-step authentication to access the Magento _Admin_ for all users and from all devices. The extension supports multiple authenticators including Google Authenticator, Authy, Duo, and U2F keys. 2FA is enabled by default for all Magento _Admin_ users, and cannot be disabled from the Magento _Admin_ or from the command line. 2FA is not available for storefront customer accounts. Two-Factor Authentication gives you the ability to: @@ -13,18 +13,17 @@ Two-Factor Authentication gives you the ability to: - Reset authenticators for users. {:.bs-callout-info} -**Magento Community Contribution** - Magento thanks [Riccardo Tempesta](https://twitter.com/rictempesta) of [MageSpecialist](https://partners.magento.com/portal/details/partner/index/id/129/) for contributing these features as part of the Magento Community Engineering program. +**Magento Community Contribution** - Magento thanks [Riccardo Tempesta][1] of [MageSpecialist][2] for contributing these features as part of the Magento Community Engineering program. ## Magento Admin Workflows -Magento has new workflows for Admin users, including: +Magento has new workflows for _Admin_ users, including: - The ability to configure the 2FA provider globally or individually. -- Admin users must set their own personal 2FA at first login. -- Confirmation email is sent at first login to verify identity. -- The "Trust this device" option has been removed. +- _Admin_ users must set their own personal 2FA at first login, and receive a confirmation email to verify their identity. +- The `Trust this device` option has been removed. -For more information, see [Two-Factor Authentication](https://docs.magento.com/m2/ee/user_guide/stores/security-two-factor-authentication.html) in the _Magento User Guide_. +For more information, see [Two-Factor Authentication][3] in the _Magento User Guide_. ## Headless Magento @@ -34,21 +33,20 @@ The 2FA provider for Magento Headless can be selected with the `config:set` comm Two-Factor Authentication is implemented for Magento Web APIs with the following changes: -- `AdminTokenServiceInterface::createAdminAccessToken()` throws an exception when the Admin user doesn’t have personal 2FA configured, and also indicates that the confirmationh email has been sent. +- `AdminTokenServiceInterface::createAdminAccessToken()` throws an exception when the _Admin_ user doesn’t have personal 2FA configured, and also indicates that the confirmationh email has been sent. - `AdminTokenServiceInterface::createAdminAccessToken()` throws an exception that indicates which provider is configured for the user and suggests a provider-specific login endpoint. -- 2FA provider-specific endpoints allow each Admin user to configure a personal 2FA. -- 2FA provider-specific endpoints provide tokens for username, password, and 2FA code. +- 2FA provider-specific endpoints allow each _Admin_ user to configure a personal 2FA and provides tokens for username, password, and 2Fa code. -
+
## Install 2FA The 2FA extension installs when you install or upgrade to Magento Open Source or Commerce 2.4.x. The extension installs like a Core Bundled Extension (CBE). - + ## Configure and manage 2FA -See the Magento Admin User Guide to [configure](https://docs.magento.com/m2/ee/user_guide/stores/security-two-factor-authentication.html) 2FA settings and [manage user authenticators](https://docs.magento.com/m2/ee/user_guide/stores/security-two-factor-authentication-manage.html). +See the _Magento User Guide_ to [configure][4] 2FA settings and [manage user authenticators][5]. Administrators have options to: @@ -58,27 +56,55 @@ Administrators have options to: ## Install authenticator -After configuring 2FA for your Magento instance, Magento Admin users must install and configure an authenticator for their personal use. For complete instructions and workflows, see [Using Two-Factor Authentication](https://docs.magento.com/m2/ee/user_guide/stores/security-two-factor-authentication-use.html). +After configuring 2FA for your Magento instance, Magento _Admin_ users must install and configure an authenticator for their personal use. For complete instructions and workflows, see [Using Two-Factor Authentication][6]. ### Supported authenticators | Provider | Authentication Type | `` | | : --------- | : --------- | : ------- | -| [Google Authenticator](https://support.google.com/accounts/answer/1066447?co=GENIE.Platform%3DAndroid&hl=en) | Generate and enter code from mobile app Requirements: Enable in Admin | `google`| -| [Authy](https://authy.com/) | SMS, call, token, and one touch
Requirements: Enable in Admin and API keys | `authy` | -| [U2F Keys](https://docs.magento.com/m2/ee/user_guide/stores/security-two-factor-authentication-use.html#u2f-key) | Physical device to authenticate, like [YubiKey](https://www.yubico.com/).
Requirements: Enable in Admin | `u2fkey` | -| [Duo Security](https://duo.com/) | SMS and push notification.
Requirements: Enable in Admin, Integration and Secret keys, API hostname | `duo` | +| [Google Authenticator][7] | Generate and enter code from mobile app. | `google`| +| [Authy][8] | SMS, call, token, and one touch
Requirements: API keys | `authy` | +| [U2F Keys][9] | Physical device to authenticate, like [YubiKey][10]. | `u2fkey` | +| [Duo Security][11] | SMS and push notification.
Requirements: Integration and Secret keys, API hostname | `duo` | + +## Magento Functional Testing Framework + +MFTF uses Google Authenticator to execute tests with 2FA enabled. The following steps summarize how to configure MFTF with an encoded shared secret. For more information, see [Configuring MFTF for Two-Factor Authentication (2FA)][12]. + +1. Select Google Authenticator as the 2FA provider: + +```bash +bin/magento config:set twofactorauth/general/force_providers google +``` + +1. Increase the lifetime of the window to 60 seconds to prevent tokens from expiring. + +```bash +bin/magento config:set twofactorauth/google/otp_window 60 +``` + +1. Generate a Base32-encoded string for the shared secret value. For example, encoding the string `abcd` with the online [Base32 Encode][13] tool returns the value `MFRGGZDF`. Use the following key to add the encoded value to the MFTF `.credentials` file: + +```bash +magento/tfa/OTP_SHARED_SECRET=MFRGGZDF +``` + +1. Use CLI to add the encoded shared secret to Google Authenticator. + +```bash +bin/magento security:tfa:google:set-secret admin MFRGGZDF +``` ## Troubleshooting -The extension supports command line options to revoke and reset authenticators. Use these commands when you cannot access the Magento Admin. +The extension supports command line options to revoke and reset authenticators. Use these commands when you cannot access the Magento _Admin_. ### Reset authenticator per account If you need to manually reset a single user configuration, enter the following command. It restarts configuration and 2FA subscription for the user account. ```bash -bin/magento msp:security:tfa:reset +bin/magento security:tfa:reset ``` ### Advanced emergency steps @@ -90,8 +116,22 @@ In your database, you can modify the following tables and values to affect 2FA. Table: `core_config_data` -- `msp/twofactorauth/force_providers` - Delete this entry to remove forced providers option. - -Table: `msp_tfa_user_config` - -- Delete one user row to reset the user's 2FA preference and configuration. +- `twofactorauth/general/force_providers` - Delete this entry to remove forced providers option. + +Table: `tfa_user_config` + +- Delete one user row to reset the user's 2FA preerence and configuration. + +[1]: https://twitter.com/rictempesta +[2]: https://partners.magento.com/portal/details/partner/index/id/129/ +[3]: https://docs.magento.com/m2/ee/user_guide/stores/security-two-factor-authentication.html +[4]: https://docs.magento.com/m2/ee/user_guide/stores/security-two-factor-authentication.html +[5]: https://docs.magento.com/m2/ee/user_guide/stores/security-two-factor-authentication-manage.html +[6]: https://docs.magento.com/m2/ee/user_guide/stores/security-two-factor-authentication-use.html +[7]: https://support.google.com/accounts/answer/1066447?co=GENIE.Platform%3DAndroid&hl=en +[8]: https://authy.com/ +[9]: https://docs.magento.com/m2/ee/user_guide/stores/security-two-factor-authentication-use.html#u2f-key +[10]: https://www.yubico.com/ +[11]: https://duo.com/ +[12]: https://github.com/magento/magento2-functional-testing-framework/blob/develop/docs/configure-2fa.md +[13]: https://emn178.github.io/online-tools/base32_encode.html From 325806243faebb80d0d7b5134905a839ab2f1abd Mon Sep 17 00:00:00 2001 From: Claire Condra Date: Wed, 10 Jun 2020 10:30:43 -0700 Subject: [PATCH 2/5] trailing space fixed trailing space --- src/guides/v2.3/security/two-factor-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/guides/v2.3/security/two-factor-authentication.md b/src/guides/v2.3/security/two-factor-authentication.md index 531dfa02d50..ebd35925824 100644 --- a/src/guides/v2.3/security/two-factor-authentication.md +++ b/src/guides/v2.3/security/two-factor-authentication.md @@ -43,7 +43,7 @@ Two-Factor Authentication is implemented for Magento Web APIs with the following ## Install 2FA The 2FA extension installs when you install or upgrade to Magento Open Source or Commerce 2.4.x. The extension installs like a Core Bundled Extension (CBE). - + ## Configure and manage 2FA See the _Magento User Guide_ to [configure][4] 2FA settings and [manage user authenticators][5]. From ff63d62217ca66e5e4b7d6c0354122ad68fd3158 Mon Sep 17 00:00:00 2001 From: Claire Condra Date: Thu, 11 Jun 2020 07:35:27 -0700 Subject: [PATCH 3/5] Update src/guides/v2.3/security/two-factor-authentication.md Co-authored-by: Jeff Matthews --- src/guides/v2.3/security/two-factor-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/guides/v2.3/security/two-factor-authentication.md b/src/guides/v2.3/security/two-factor-authentication.md index ebd35925824..05c59196f9c 100644 --- a/src/guides/v2.3/security/two-factor-authentication.md +++ b/src/guides/v2.3/security/two-factor-authentication.md @@ -35,7 +35,7 @@ Two-Factor Authentication is implemented for Magento Web APIs with the following - `AdminTokenServiceInterface::createAdminAccessToken()` throws an exception when the _Admin_ user doesn’t have personal 2FA configured, and also indicates that the confirmationh email has been sent. - `AdminTokenServiceInterface::createAdminAccessToken()` throws an exception that indicates which provider is configured for the user and suggests a provider-specific login endpoint. -- 2FA provider-specific endpoints allow each _Admin_ user to configure a personal 2FA and provides tokens for username, password, and 2Fa code. +- 2FA provider-specific endpoints allow each _Admin_ user to configure a personal 2FA and provides tokens for username, password, and 2FA code.
From 2c16a772bb09f243de042c74979acc2bb1a0238c Mon Sep 17 00:00:00 2001 From: Claire Condra Date: Thu, 11 Jun 2020 07:35:36 -0700 Subject: [PATCH 4/5] Update src/guides/v2.3/security/two-factor-authentication.md Co-authored-by: Jeff Matthews --- src/guides/v2.3/security/two-factor-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/guides/v2.3/security/two-factor-authentication.md b/src/guides/v2.3/security/two-factor-authentication.md index 05c59196f9c..4ebd7b48829 100644 --- a/src/guides/v2.3/security/two-factor-authentication.md +++ b/src/guides/v2.3/security/two-factor-authentication.md @@ -120,7 +120,7 @@ Table: `core_config_data` Table: `tfa_user_config` -- Delete one user row to reset the user's 2FA preerence and configuration. +- Delete one user row to reset the user's 2FA preference and configuration. [1]: https://twitter.com/rictempesta [2]: https://partners.magento.com/portal/details/partner/index/id/129/ From 0929682cb6e1d35f6eb86cc49818ae8f6f7d7e25 Mon Sep 17 00:00:00 2001 From: Claire Condra Date: Thu, 11 Jun 2020 07:55:09 -0700 Subject: [PATCH 5/5] Fixed indentation Fixed indentation of code examples. --- .../security/two-factor-authentication.md | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/src/guides/v2.3/security/two-factor-authentication.md b/src/guides/v2.3/security/two-factor-authentication.md index ebd35925824..1693eb4b279 100644 --- a/src/guides/v2.3/security/two-factor-authentication.md +++ b/src/guides/v2.3/security/two-factor-authentication.md @@ -73,27 +73,27 @@ MFTF uses Google Authenticator to execute tests with 2FA enabled. The following 1. Select Google Authenticator as the 2FA provider: -```bash -bin/magento config:set twofactorauth/general/force_providers google -``` + ```bash + bin/magento config:set twofactorauth/general/force_providers google + ``` 1. Increase the lifetime of the window to 60 seconds to prevent tokens from expiring. -```bash -bin/magento config:set twofactorauth/google/otp_window 60 -``` + ```bash + bin/magento config:set twofactorauth/google/otp_window 60 + ``` 1. Generate a Base32-encoded string for the shared secret value. For example, encoding the string `abcd` with the online [Base32 Encode][13] tool returns the value `MFRGGZDF`. Use the following key to add the encoded value to the MFTF `.credentials` file: -```bash -magento/tfa/OTP_SHARED_SECRET=MFRGGZDF -``` + ```bash + magento/tfa/OTP_SHARED_SECRET=MFRGGZDF + ``` 1. Use CLI to add the encoded shared secret to Google Authenticator. -```bash -bin/magento security:tfa:google:set-secret admin MFRGGZDF -``` + ```bash + bin/magento security:tfa:google:set-secret admin MFRGGZDF + ``` ## Troubleshooting @@ -103,9 +103,9 @@ The extension supports command line options to revoke and reset authenticators. If you need to manually reset a single user configuration, enter the following command. It restarts configuration and 2FA subscription for the user account. -```bash -bin/magento security:tfa:reset -``` + ```bash + bin/magento security:tfa:reset + ``` ### Advanced emergency steps