cancel
Showing results for 
Search instead for 
Did you mean: 

2.4 Fresh Install Admin Account with Two Factor Authentication - first time login

SOLVED

2.4 Fresh Install Admin Account with Two Factor Authentication - first time login

I've installed Magento many times, but this is the first time I've done a fresh installation using 2.4. Am I correct in this:

  1. Two Factor Authentication cannot be turned off in 2.4. Which is OK by me.
  2. I used the command line instructions from here to specify google auth.
  3. I followed the commands for generating base32 secret for the admin pass specified on the command line install (composer), and stuck it in the .credentials file.
  4. So how am I supposed to do a first time admin login on a fresh 2.4 installation if it doesn't have outbound email set up (to send directions for google auth, I presume), if I have to log into the admin interface to set up the outbound email?

Perhaps I'm not understanding something correctly. Perhaps the documentation needs improvement. Any help appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: 2.4 Fresh Install Admin Account with Two Factor Authentication - first time login

Just added to my own thread to show its resolution...

 

  • Fortunately I remembered the "from" store addresses are in env.php, so I edited that and updated using the bin/magento commands.
  • As mentioned I had previously installed sendmail
  • Since I have administrative access to my mail server, I enabled the store's host network as a trusted network.
  • This then allowed the QR code to reach me so that I had access.

View solution in original post

3 REPLIES 3

Re: 2.4 Fresh Install Admin Account with Two Factor Authentication - first time login

Answering my own question... I found this page with instructions for disabling 2 factor authentications (though I shall put it back on later, no doubt, after setting up outbound email). One of the pages, or a  prompt I had previously seen stated flat out that TFA could not be disabled in 2.4. So I guess I ought not to believe everything I read.

Re: 2.4 Fresh Install Admin Account with Two Factor Authentication - first time login

One more addition to this thread... upon entry to the admin gui, after having disabled the two factor authentication entirely, most of the controls in the admin gui are disabled... in all scopes. Now, that may be due to the note that I referenced previously (from the 2.4 release note):

Two-factor authentication (2FA) is now required for the Magento Admin. Admin users must first configure their 2FA before logging into the Admin through either the UI or a web API. 2FA is enabled by default and cannot be disabled.

 

If indeed it is the case that these controls are disabled if 2FA has been globally disabled, that needs to be documented. The note about logging into the UI to set up 2FA is also an impossible task for a new install without having previously used the command line. And my note above regarding setting up the mail server (which is currently a set of disabled controls) still stands. Although I set up sendmail on the server, and am able to send a mail from bash, Magento cannot use it.

 

I've often thought of myself as a paranoid network administrator, and set any security related items to a very high enough extent that my users sometimes complain; but I don't set security to the point where I lock myself out.

 

Not sure how I shall proceed. I'm thinking of wiping 2.4, installing 2.3, get email and security set up the way I want, and then upgrading. But if anyone has any suggestions, I'd love to hear them.

Re: 2.4 Fresh Install Admin Account with Two Factor Authentication - first time login

Just added to my own thread to show its resolution...

 

  • Fortunately I remembered the "from" store addresses are in env.php, so I edited that and updated using the bin/magento commands.
  • As mentioned I had previously installed sendmail
  • Since I have administrative access to my mail server, I enabled the store's host network as a trusted network.
  • This then allowed the QR code to reach me so that I had access.