magento2: Unable to log into Admin after clean install (without SMTP)

Preconditions (*)

  1. Apache 2.4
  2. PHP 7.4
  3. MySQL 8
  4. Elasticsearch 7
  5. Magento 2.4.0

Steps to reproduce (*)

  1. Clean install of Magento 2.4 (via composer)
  2. Creation of admin account via CLI (part of setup:install command)

Expected result (*)

  1. Logging into Magento 2.4 for the first time allows immediate Google 2FA setup

Actual result (*)

  1. Logging into Admin for the first time presents a warning “Failed to send the message. Please contact the administrator. You need to configure Two-Factor Authorization in order to proceed to your store’s admin area An E-mail was sent to you with further instructions”. An email is required to complete 2FA. Without an SMTP enabled server, there is no way of retrieving the link to complete 2FA.

Failed without SMTP enabled

Please provide Severity assessment for the Issue as Reporter. This information will help during Confirmation and Issue triage processes.

  • Severity: S0 - Affects critical data or functionality and leaves users without workaround.
  • Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
  • Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
  • Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
  • Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

If an SMTP enabled server is required to send a 2FA link to allow for an Admin to complete a first time login, then I feel this should be added as a prerequisite

However, if there is a way to get to the 2FA QR page without the need to receive an email then this should be documented more clearly.

I am aware of the Two-Factor Authentication (MFTF) documentation. Stating that you could bypass this by creating a “Base32-encoded string for the shared secret value” and then “Use the following key to add the encoded value to the MFTF .credentials file.”

However, the documentation doesn’t provide enough details on the requirements to do this. It also insinuates that this procedure is preferable for a Testing environment and not Development/Production.

If it turns out that these MFTF steps are considered “safe” to complete in a Development/Product environment then it would definately improve QoL if these variables could be set through the bin/magento setup:install values as stated in the Install the Magento software Documentation.

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 18
  • Comments: 19 (2 by maintainers)

Most upvoted comments

It’s not directly related as this issue talks that smtp should be a documented requirement but current workaround for dev environments (that don’t need to have smtp set up) is simply to disable 2fa

bin/magento mo:di Magento_TwoFactorAuth

+23
speedupmate on Jul 29, 2020

In case anyone needs a temporary workaround to get this working without having SMTP set up:

  1. navigate to /admin and log in
  2. you should see the 2FA screen now
  3. add var_dump($url);die; on line 86 in vendor/magento/module-two-factor-auth/Model/EmailUserNotifier.php
  4. refresh /admin
  5. copy the URL that is displayed
  6. remove the var_dump
  7. use the URL copied earlier to navigate to the 2FA setup
+18
MichaelThessel on Aug 6, 2020

But at some point, 2FA needs to be enabled during Development/Production. And there is probably an argument that states “well, surely in a Development/Production environment you would have an SMTP enabled server.” But speaking from experience, myself and many others use 3rd party SMTP providers - Which are normally configured in the Admin Backend. It just seems like a really overlooked part of the installation/setup process. What’s the point of enforcing 2FA on installation to only immediately disable it?

I’d simply prefer a simple CLI config:set command to generate the same URL that gets sent in the Email. Or even better, have the URL output with the Admin Backend URL notification that you see on successful install.

Post installation file permissions check...
For security, remove write permissions from these directories: '/var/www/html/magento2/app/etc'
[Progress: 274 / 274]
[SUCCESS]: Magento installation complete.
[SUCCESS]: Admin Panel URI: /admin_puu71q
[SUCCESS]: Complete Admin 2FA URI: http://example.com/tfa/example...

I’m trying not to sound negative and whiny, but this lack of clarity is frustrating.

+14
DigitalStartupUK on Jul 29, 2020

Temporary solution to kick start your development, just disable Magento_TwoFactorAuth module. It worked for me.

bin/magento module:disable Magento_TwoFactorAuth

+9
sudhanshu-bajaj on Aug 7, 2020

Speechless @magento-admin

+5
oviliz on Oct 10, 2020

What a nightmare. Same issue here. This is the first time I encountered a 2fa setup situation that requires email. Usually you log into admin, enable 2fa and then set up the token logged into admin.

+5
MichaelThessel on Aug 6, 2020

Other workaround (https://devdocs.magento.com/guides/v2.4/security/two-factor-authentication.html): bin/magento config:set twofactorauth/general/force_providers google bin/magento config:set twofactorauth/google/otp_window 60 bin/magento security:tfa:google:set-secret <admin_user> <Base32-encoded_string_for_the_shared_secret_value>

Base32: https://emn178.github.io/online-tools/base32_encode.html

+2
Green2Matter on Oct 12, 2021
Read more comments on GitHub
← magento2: Unable to Install Magento 2.1:: Cannot instantiate interface Magento\Framework\App\Config\Scope\ReaderPoolInterface
magento2: Unable to override Fulltext\Collection in module et/di.xml →