Since the release of Magento 2.4, Two-Factor Authentication (2FA) has become a mandatory security feature for the Admin Panel. While this is a critical security enhancement for production environments, it can often become a bottleneck for developers working in local environments or automated testing pipelines. If you need to bypass this security layer to streamline your workflow, there are several reliable methods to achieve this.

In this guide, you will learn how to disable the Two-Factor Authentication module in Magento 2.4 using the Command Line Interface (CLI), configuration files, and community-developed tools. We will also cover the specific steps required for the most recent versions, including Magento 2.4.6 and 2.4.7.

The most straightforward way to disable 2FA is through the Magento CLI. In modern versions of Magento 2.4 (specifically 2.4.5 and above), there are actually two modules involved in the authentication process: the core 2FA module and the Adobe IMS integration module. You must disable both to effectively remove the requirement.

Run the following command from your Magento root directory:

bin/magento module:disable Magento_AdminAdobeImsTwoFactorAuth Magento_TwoFactorAuth
bin/magento cache:flush

By running this command, you tell Magento to ignore these modules during the bootstrapping process. If you are on a version older than 2.4.5, you might only need to disable Magento_TwoFactorAuth, but disabling both is a safe bet for compatibility.

Method 2: Full Deployment Flow for Magento 2.4.6 and 2.4.7

In newer versions like Magento 2.4.6 and 2.4.7, simply disabling the module and flushing the cache might not be enough due to dependency injection (DI) and generated code. To ensure a clean state, you should follow the full deployment sequence:

php bin/magento module:disable Magento_AdminAdobeImsTwoFactorAuth Magento_TwoFactorAuth
php bin/magento setup:upgrade
php bin/magento setup:di:compile
php bin/magento setup:static-content:deploy -f
php bin/magento indexer:reindex
php bin/magento cache:flush

This sequence ensures that the system configuration is updated, the dependency injection container is rebuilt without the 2FA classes, and all static assets are correctly mapped.

Method 3: Modifying Configuration Files

If you prefer not to use the CLI or if you want to ensure the module stays disabled across different deployments via version control, you can modify the configuration files directly.

Using config.php

Navigate to app/etc/config.php and locate the module list. Change the value for the 2FA modules from 1 to 0:

'modules' => [
    // ...
    'Magento_TwoFactorAuth' => 0,
    'Magento_AdminAdobeImsTwoFactorAuth' => 0,
    // ...
]

Using env.php (Environment Specific)

If you want to disable 2FA only on your local machine but keep it enabled on production, the best practice is to use app/etc/env.php. This file is typically ignored by Git, making it perfect for environment-specific overrides.

Add the following block to your env.php file:

'modules' => [
    'Magento_TwoFactorAuth' => 0,
    'Magento_AdminAdobeImsTwoFactorAuth' => 0,
],

Method 4: Using Community Developer Modules

Several community leaders have created modules that allow for a more nuanced approach to 2FA. Instead of completely disabling the core module, these tools can provide a toggle in the System Configuration or provide developer-friendly defaults.

  1. Mark Shust's 2FA Disable Module: This is a widely used developer tool that effectively disables 2FA while keeping the core modules active, which prevents issues with dependencies in other modules.
  2. WolfSellers Enable/Disable Module: This module adds a simple toggle in the Magento Admin (under Store Configuration) to turn 2FA on or off. You can install it via composer:
composer require wolfsellers/module-enabledisabletfa

Security Warning

It is important to emphasize that disabling 2FA on a production server is strongly discouraged. Magento's 2FA is designed to protect your store from unauthorized access, even if an admin password is compromised. Only disable this feature in secure, local development environments or isolated staging environments where data sensitivity is low.

Frequently Asked Questions

Can I disable 2FA for just one specific admin user?

No, the core Magento 2.4 2FA module is a global requirement for the entire admin panel. To allow specific users to bypass it, you would need a third-party extension that adds per-user configuration logic.

Will disabling 2FA break my Magento updates?

If you disable it via the CLI or config.php, it should not break the update process. However, if other third-party modules depend on Magento_TwoFactorAuth, you might encounter errors during setup:di:compile. In such cases, using a developer module that "mutes" the 2FA rather than disabling the module entirely is the better approach.

Why does 2FA keep coming back after a deployment?

If you are using a CI/CD pipeline, your config.php might be overwritten during the build process. Ensure that your deployment scripts are not re-enabling the module or that your env.php on the target server is correctly configured to keep it disabled.

Wrapping Up

Disabling Two-Factor Authentication in Magento 2.4 is a common task for developers looking to speed up their local workflow. Whether you choose the quick CLI command, a configuration file override, or a dedicated developer module, the process is straightforward as long as you account for both the Magento_TwoFactorAuth and Magento_AdminAdobeImsTwoFactorAuth modules. Always remember to re-enable these features before pushing your code to a live environment to maintain the highest security standards for your Adobe Commerce store.