Adobe Finally Adds Two-Factor-Authentication on the Magento Platform
Last updated July 18, 2020
- 2FA across the entire Magento platform has landed, and it’s going to be set to “on” by default in 2.4.
- Adobe has decided to change a couple of risky settings to more secure defaults, like disabling cloud SSH.
- A large number of Magento platform owners are still stuck in the no longer supported 1.x branch.
About 75% of all web skimming attacks (Magecart) come via compromised admin accounts that are abused for planting skimming scripts on e-commerce websites. That said, doing something to secure these accounts behind a stronger layer should be a no-brainer, and Adobe has finally decided to do it.
According to the details given in a recent announcement, they are implementing two-factor authentication throughout Magento - including the Cloud Admin, the Marketplace, Forums, Help Center, and the Magento U.
Users who want to activate it right away may log in to “My Account” and navigate the “Account Settings” menu.
Source: Bleeping Computer
Beginning with the release of 2.4, the two-factor authentication step will be enabled by default for the Magento Admin, and there will be no option to disable it. If there are still administrators who haven’t configured their 2FA until then, they will be locked out of their accounts until they do it.
Another default setting that will change with Magento 2.4 is the SSH cloud access, which will be turned to off. If the admins need this, they will have to enable it via the settings manually, but a 2FA step will have to be configured to access the server. Adobe says that even then, SSH access tokens will be short-lived.
Related: Highly Popular Websites Got Infected With Magecart Skimmers
These are definitely “aggressive” security measures, and there really is nothing wrong about being proactive when you’re trying to deal with such an extensive and detrimental problem.
In fact, Adobe was quite late to respond to the Magecart skimming threat waves with drastic measures, although the attacks received enough publicity each time. Of course, Adobe cannot be considered directly responsible for the lack of security or the misconfigurations in platforms managed by its clients, but putting more safeguards in place is a sure way to set the stage for better prospects.
All that said, and for the 2FA system to really have any effect, admins will have to finally take their e-commerce platforms over to the 2.x version of the platform. Last month, we warned about the EOL for Magento 1.x and the dangers that come from people insisting on relying on the deprecated versions from now on. Unfortunately, most Magento-based platforms are still running the unsupported release, even after a full month since the EOL was reached. So, no matter what Adobe does, security on Magento sites starts and ends in the admins’ hands, and upgrading to 2.x should be non-negotiable right now.
Related
Most Popular
Most Popular