Joomla is among the content management systems (CMS) that enable two-factor authentication. Joomla was the first to implement this security practice.
The Two-Factor Authentication method in Joomla is considered the most secure method available.
Usernames and passwords are very vulnerable to hacking. It is most often the case when the computer you are logging in is infected with a virus.
When the username and password are not additionally protected, they are effortless to be used by unauthorized users. Thanks to Two-Factor Authentication, a hacker has a much more challenging task to gain access to the website.
2FA is one of the ways to secure Joomla.
Two-factor authentication for Joomla is an additional security layer that creates a temporary, one-time password (OTP), entirely different each time.
The key is temporary. After a short period, it becomes invalid and unusable. Let us now focus on the process of implementing Two-Factor authentication in Joomla. We will show it step by step below.
Enabling Two-Factor Authentication in Joomla is not difficult and will significantly improve security.
After installing Joomla, you will notice a post-installation message. You need to click "Review Messages" to see that Two-Factor Authentication is available to you (usually one of the messages at the end of the messages list).
There is an "Enable Two-Factor Authentication" button.
When you click it, the process of enabling 2FA will start and:
If you can't see the post-installation messages, you need to manually enable two plugins (or just one - the one you want to use - depending on your requirements).
Go to Extensions (1) -> Plugins (2) -> click on "Search tools" (3) -> select twofactorauth from the "Type" select list (4) and enable one or both plugins you require:
The User Manager is where you set up Two-Factor Authentication. To do this in the Joomla panel, navigate to Users -> Manage and find your user on the list. (This way, you can also edit the user profile of anyone who has backend access to your site).
Once you've edited the profile you've selected, click the Two-factor Authentication tab and then choose one of two authentication methods from the select list.
The first is Google Authenticator, and the second is Yubikey. So there are two very robust two-step authentication methods. Which one you choose depends on you and your individual needs.
When you enable the Two-factor authentication plugin, frontend users can enable and benefit from the extra security layers on their accounts (remember to select the proper option in the plugin - it should be Both or Site (frontend)
Now all users will have the option to enable the 2FA in their account when they edit their profile. The setup is the same as when in the backend.
The new section in the Edit Profile view shows up and can be configured by users.
Google Authenticator is a smartphone and desktop app that generates a six-digit security code every 30 seconds. The number only remains valid for so long for you to log into your website.
First, you need to install Google Authenticator on your desktop or mobile device, and this way, you'll be able to sync your devices after scanning the QR code with your mobile phone. It's how it generates the six-digit code needed for login (logging in on your desktop or mobile phone.)
Now select Google Authenticator from the list, and you will be given detailed steps on setting this up. It is a reasonably easy step that is usually completed by scanning a QR code with the Authenticator app.
Once the code is scanned, Google Authenticator will start generating codes that are specific to that username.
To complete the setup, you'll need to enter one correct secret code from the Authenticator after the setup. That's all.
As you can see on the screenshots below, you have to enter the secret key to log on:
If you have opted for the Yubikey USB method, select Yubikey Authentication Method on the User Manager screen. Then follow the activation steps:
You are required to have a Yubikey USB device, which must be plugged into a USB port on your computer before logging into your Joomla site. After successful login, select the Security Code field and touch the gold disk on the YubiKey device for one second. Afterward, save your user profile. If YubiCloud validates the code generated by your YubiKey, the Two Factor Authentication feature will be enabled, and this YubiKey will be linked with your user account.
It is also possible to log in using a mobile phone. It requires an NFC-enabled Android device so that the NFC reader can copy the secret code from a compatible Yubikey token (for example, Yubikey Neo.) The code is copied to the clipboard of the mobile device.
You can disable two-factor authentication at any time. After logging into your Joomla panel, go to Extensions -> Plugins. Then find "Two Factor Authentication - Google Authenticator" or "Two Factor Authentication - YubiKey" and choose the authentication method that you are using. Click "disable," and Two-Factor Authentication is no longer in use.
The addition of two-factor authentication in Joomla is an essential step in improving the security of the Joomla environment.
The primary user and password combination is easy to guess or hack using specific methods. Two-factor authentication introduces a third variable that only the user can access. As a result, a person who gained unauthorized access to the username and password, despite having this data, does not have access to the secret key.