Adding Two Factor Authentication (2FA) to Joomla
Two Factor Authentication secures your user accounts by requiring users to enter a time-sensitive code along with their password before logging in. This means even if the user's password is compromised, no one can login using their account without the additional verification.
I would encourage you to require 2FA for any user of your website that's in the user group of editor or higher (or whatever your website's functional equivalent of an editor is).
Users will need to install an authenticator app on their phone, a program on their computer, or an extension in their browser. There are dozens of good ones to choose from. Notable choices include Microsoft Authenticator and Google Authenticator.
Two factor authentication is time-sensitive. If your server's time is off, 2FA will not work. Make sure you test 2FA out on a test account before enabling it for more users.
Enable The Plugin
Enabling 2FA in Joomla 4 is incredibly easy. There's a core system plugin that's disabled by default titled "Two Factor Authentication - Google Authenticator"
Enable this plugin with the plugin manager.
If you open the plugin settings, you have an option to use 2FA on the front end, the back end, or both.
It's up to you where you want to enable 2FA.
By default, 2FA is not required, even if the plugin is enabled. It is optional, and users may choose if they want to enable it or not.
For a user to enable 2FA on their account, they must have access to their user profile page. Under the profile settings, an option to use 2FA will appear. Should they select the "Google Authenticator" option, a detailed set of instructions will be displayed, telling the user how to configure their authenticator.
The user will be given a key, or a QR code to scan. They must enter this into their authenticator app.
After adding the key to their authenticator, the user must enter the code generated into the screen and save the page before the code expires (within 30 seconds).
The Users component has an option to enforce 2FA on the front end, back end, or both. Once enforced, users in certain selected user groups will be required to use 2FA. If the user does not have 2FA setup, they will be required to set it up next time they login.
This option is at the bottom of the first tab in the User's component options (Admin Menu → Users → Manage → Options).
Note that on whatever side of the site the plugin is enabled, all users will see the "secret key" option in the login form. Even if you don't require 2FA for all users, they will still see this box in the login form. If their accounts don't use 2FA, they may still login without entering a secret key. This extra unnecessary field may confuse some users, so I'd advise mentioning about it somewhere or only enabling 2FA in the back end, to avoid confusion.
User Lost Authenticator
If a user loses their 2FA authentication key, and their backup keys (which they should write down after enabling 2FA), only an administrator can reset their account. You can view their profile under the user manager and navigate to the two factor authentication tab. Here, you can manually disable 2FA on their account and they will be prompted to set up the authenticator again when they login. Alternatively, you can send them one of their one time passwords.
Since administrator can view and reset 2FA keys, it's important that the admin accounts themselves are all locked down using 2FA. Do not lose your backup keys for your Super User account, or you will be locked out of your website. Other administrators cannot see or reset the 2FA keys of the Super User.
Super User Lost Authenticator
If your website's only Super User account is locked out because you've lost your 2FA keys, or your server's time is off, your only option is to remove the keys from the server by manually editing the database.
Login to phpMyAdmin, or whatever tool you can use to manage your MySQL database. You will have to do this through your web hosting provider. Open your Joomla database and locate the _users table. Find the row corresponding to your Super User account and edit the row. Find the columns for "otpKey" and "otep" - remove anything that is in these columns (for your Super User only). Save the row.
Now, you should be able to login again without the 2FA code.