For more details see the Two-Factor Authentication for Magento 2 extension page.
Protect your Magento e-business with simple and efficient Two-Factor Authentication extension for Magento 2. Make sure your account is available to verified users only.
To configure the extension, go to Admin panel → System → Configuration → Two-Factor Authentication.
Enable Two-Factor Authentication - Set to Yes to enable two-factor authentication extension on your Magento account.
Discrepancy — modify the allowed time drift in 30 second units (e.g. 8 means 4 minutes before or after) for verification codes generation.
IP White List - In this field, you can include reliable IP addresses. Users, who log in from these IP addresses will not be required for verification code (e.g. your staff members). You can add multiple IPs, separating them with coma.
Go to System → Permissions → Users to set admins' permissions.
Edit any existing role by clicking it or create a new one using Add New User button.
Open the Two-Factor Settings tab to configure and synchronize the extension with the Google authentication app. The application generates additional security codes.
Enable TFA - Open your Google Authenticator application and register the login by scanning the QR Code or entering the Secret Key.
Status - the default status is Not Configured. It will be switched to Configured, once you enter a Secret Key or scan the QR code.
Secret Key - Insert the Secret Key into Google Authenticator app to generate additional Security Code.
QR code - Scan QR code to receive the Secret Key and insert it into Google Authenticator app to generate additional Security Code.
Security code - Insert your received Security Code and click Check code to verify it. Verify - If Security Code is correct, then Check code link will be changed to Verified.
When the verification returns the Invalid value, you can fix this by modifying the Discrepancy value in the extension general settings.
Try increasing the value by 1, save changes, and try the verification procedure once again. If you'll face the Invalid value again, please, try to increase a discrepancy one more time.
To test, whether the extension was successfully synchronized with Google Authenticator App and well configured, log out from your current session and try to log in to the account you have configured.
This is how Google Authenticator App generates the security code.