Two Factor Authentication

Two-Factor Authentication

Compatible With: Community 1.6, 1.6.1,, 1.7, 1.8, 1.8.1, 1.9, 1.9.1, 1.9.2, 1.9.3 Enterprise 1.13, 1.13.1, 1.14, 1.14.1, 1.14.2, 1.14.3

Tech Specifications

Current Version:
Stable Build
06 September, 2018
Extensions, Payments & Security
License Type:
MIT License (MIT)


The JetRails 2FA plugin adds an extra layer of security to your Magento store.  User-based 2FA enablement ensures that admin users are following best security practices.


Back to top

Your Magento storefront is vulnerable. Eliminate your security risk by downloading the JetRails Two-factor authentication module. Two-factor authentication, also known as 2FA, is a critical component for Magento security and is used widely by Magento backend admin users. Authentication is a security process to verify a user's identity. Authentication consists of three factors; something they know (ie. password), something they have (ie. phone), or something they are (ie. fingerprint).

With a stock Magento installation a user is only given one method of authentication -- something they know. This usually consists of their administrative username and password. While having one method of authentication is typically secure, it has its limitations. By adding one additional layer of authentication, security is significantly strengthened. Having multiple methods of authentication is known as multi-factor authentication. It is often recommended that you choose at least two out of the three methods of authentication to ensure strong security.

This plugin works with "something they know" and "something they have". A Magento admin user that has the JetRails 2FA plugin enabled will not only be authenticated with "something they know", which would be their admin username and password, but they will also authenticate with "something they have", such as their phone or tablet.

Once the JetRails 2FA plugin is installed for your Magento store and an admin successfully logs into their account, the JetRails 2FA plugin will prompt the user to set up their 2FA account. The typical user enrollment process takes up to five minutes including installation of the Google Authenticator application on their device. For more information on using the JetRails 2FA plugin, make sure to read the user guide which offers visual step-by-step instructions.

2FA has become an industry standard and is implemented using the Time-Based One-Time Password (TOTP) algorithm. In developing this plugin, RFC-6238 was used for reference. Since 2FA gives an extra layer of protection to Magento’s authentication process, it is vital to every Magento installation.


Features & Benefits:

  • A Master Administrator can require 2FA to be utilized by specific users.
  • Usage of 2FA can be enforced and required for log in.
  • Once you use the 2FA to log in, there is an option to bypass authentication for a pre-configured number of days.
  • A Master Administrator can oversee every user's authentication process.
  • In the event of a lost or misplaced 2FA account, backup codes are available as an alternate method for authentication.
  • In the event of an attempted account breach, prevention protocols are in place via brute-force protection, which will temporarily block the account.
  • The threshold for the number of failed authentication attempts before a temporary ban is imposed is configurable.
  • The duration of a user's temporary ban is configurable.
  • An automatic instantaneous alert will be sent to the account owner and store admins informing them of an attempted breach. Any security warning will be logged with any relevant data such as the offender's IP address.
  • The 2FA account can be setup for devices (something they have) using the Google Authenticator app, which is FREE available for every platform including iPhone and Android.

Release Notes

Back to top


  • Compatible with CE: 1.6 1.6.1 1.7 1.8 1.8.1 1.9 1.9.1 1.9.2 1.9.3
  • Compatible with EE: 1.13 1.13.1 1.14 1.14.1 1.14.2 1.14.3
  • Stability: Stable Build
  • Description:

    - Added enterprise compatibility


  • Compatible with CE: 1.6 1.6.1 1.7 1.8 1.8.1 1.9 1.9.1 1.9.2 1.9.3
  • Stability: Stable Build
  • Description:

    - Changed from role based to user based 2FA enforcement
    - Made remember me duration configurable
    - Made failed attempts configurable
    - Made ban duration configurable
    - Added a manage 2FA accounts page for super admins
    - Improved email templates


  • Compatible with CE: 1.6 1.6.1 1.7 1.8 1.8.1 1.9 1.9.1 1.9.2 1.9.3
  • Stability: Stable Build
  • Description:

    - Role based TFA enablement
    - Remember authentication for 7 days
    - Backup codes as an alternate authentication method
    - Send email to account owner and admins on account block
    - Brute force protection (10 min. block between 10 failed attempts)


Back to top
The best place to start if you need help with a specific extension is to contact the developer. All Magento developers have both a contact email and a support email listed.

Q & A

Back to top


Back to top