PrestaShop Administration & Productivity

2FA Google Authenticator for PrestaShop

Two-factor authentication to harden your back-office.

The password is no longer enough. With 2FA Google Authenticator, every login to the PrestaShop 8 or 9 back office also requires a 6-digit code generated by a TOTP app on the employee's phone (Google Authenticator, Authy, 1Password, Microsoft Authenticator, etc.). Global mandatory activation or per-employee opt-in, recovery codes in case of phone loss, brute-force lockout. The security layer that native PrestaShop does not provide.

PrestaShop 8 & 9 TOTP RFC 6238 standard AES-256 Brute-force protection Recovery codes Multistore
  • 30-day refund
  • 12 months updates
  • 24h support
www.datafirefly.com/en/
DataFirefly Google 2FA — PrestaShop Module
v1.1.0 · updated 2026-07-02
What it does

The short version.

01

Works with any TOTP app

Compatible with every standard TOTP app (RFC 6238): Google Authenticator, Microsoft Authenticator, Authy, 1Password, Bitwarden, FreeOTP. No dependency on any third-party service.

02

PrestaShop 8 & 9

Runs natively on PrestaShop 8.0 to 8.2 and on PrestaShop 9, including the new PS9 Symfony login page. One single version, no version-specific setup.

03

Recovery codes

8 single-use recovery codes generated at pairing in case the phone is lost, stored as SHA-256 hashes. If everything is lost, a Super Admin can reset an employee's 2FA in one click.

04

Hardened security

TOTP secret encrypted with AES-256 in the database. Automatic 15-minute lockout after 5 invalid codes to block brute force. QR code generated locally, no external service.

The long version

Everything you'd want to know before you install.

A detailed look at how 2FA Google Authenticator for PrestaShop works, why we built it the way we did, and the thinking behind the features above.

§ 01

Why 2FA on PrestaShop

The PrestaShop back office is the number one attack target on your store. A compromised admin password (phishing, leak from another app, dictionary attack) means direct access to your orders, your customers, your source code. 2FA adds a second layer: even with the password, the attacker cannot log in without the phone. The vast majority of documented back-office intrusions would have been prevented by active 2FA.

§ 02

TOTP standard, no proprietary service

The module follows the RFC 6238 (TOTP) standard — the same one used by Google Authenticator, Authy, 1Password, Microsoft Authenticator, etc. Your employees use the app of their choice, without installing anything specific. If your company already uses 1Password, the 2FA simply joins the existing secrets. No third-party service, no per-user cost, no external dependency: even the pairing QR code is generated locally in the browser.

§ 03

PrestaShop 8 and 9, one single version

The module is natively compatible with PrestaShop 8.0 to 8.2 and PrestaShop 9, including the new Symfony login page introduced by PS9. 2FA verification plugs into the login flow whatever the version, with no version-specific setup. You can migrate your store from PS8 to PS9 without touching the module or re-pairing employees.

§ 04

Progressive rollout

2FA can be made mandatory for all employees (forced mode: any employee without 2FA is redirected to pairing at login) or left as individual opt-in, each employee enabling their own 2FA from their user menu. This enables a progressive rollout: start opt-in with the reminder banner, watch adoption, then switch to mandatory mode.

§ 05

Handling a lost phone

The “I can't log in anymore, I changed phones” scenario is covered at two levels. First safety net: 8 single-use recovery codes, generated at initial pairing. The employee keeps them in a password manager or printed in a safe. Second safety net: a Super Admin can reset an employee's 2FA in one click from the module configuration page. The next login will prompt initial pairing again with a new QR code.

§ 06

Security and brute-force protection

Each employee's TOTP secret is encrypted with AES-256 in the database — even read-only access to your SQL does not allow regenerating codes. Recovery codes are stored as SHA-256 hashes, never in plain text. After 5 consecutive invalid codes, 2FA verification for the account is locked for 15 minutes, making enumeration of 6-digit codes impractical.