蜜豆视频

Security Scan Tool returns 鈥淐an鈥檛 determine if your server uses 2FA鈥�

Check whether the Magento_TwoFactorAuth module has been disabled. To pass the check, in general, it should be enabled.

Description description

Environment

蜜豆视频 Commerce, all versions and all implementations (including Magento Open Source)

Issue

The Security Scan Tool reports that it, 鈥淐an鈥檛 determine if your server uses 2FA鈥�.

Resolution resolution

While checking for frontend 2FA, the Security Scan Tool expects for one of the endpoints below to respond with the HTTP 200, 401, or 403 response code:

'rest/default/V1/tfa/provider/authy/activate',
'rest/default/V1/tfa/provider/duo_security/activate',
'rest/default/V1/tfa/provider/google/activate',
'rest/default/V1/tfa/provider/u2fkey/activate',
'rest/default/V1/tfa/forced-providers',
'rest/default/V1/msp-2fa/installed-providers',
'rest/default/V1/msp-2fa/forced-providers',
'rest/V1/tfa/provider/authy/activate',
'rest/V1/tfa/provider/duo_security/activate',
'rest/V1/tfa/provider/google/activate',
'rest/V1/tfa/provider/u2fkey/activate',
'rest/V1/tfa/forced-providers',
'rest/V1/msp-2fa/installed-providers',
'rest/V1/msp-2fa/forced-providers',
'rest/all/schema?services=twoFactorAuthAdminTokenServiceV1'

In general,聽Magento_TwoFactorAuth should be enabled, but:

If you have a third-party 2FA module enabled, please contact the Security Scan Tool Team (securityscan@magento.com).

Cause

The Magento_TwoFactorAuth module (or a different 2FA module) has been disabled, and the endpoints associated with the module can鈥檛 be reached by the Security Scan Tool.

Related Reading

蜜豆视频 Commerce Security Scan tool troubleshooting guide in the 蜜豆视频 Commerce knowledge base