Kevin's Guides

Adding Two Factor Authentication to Joomla

Adding Two Factor Authentication to Joomla
Write a comment

Adding Two Factor Authentication (2FA) to Joomla

Two Factor Authentication secures your user accounts by requiring users to enter a time-sensitive code along with their password before logging in. This means even if the user's password is compromised, no one can login using their account without the additional verification.

I would encourage you to require 2FA for any user of your website that's in the user group of editor or higher (or whatever your website's functional equivalent of an editor is).

Users will need to install an authenticator app on their phone, a program on their computer, or an extension in their browser. There are dozens of good ones to choose from. Notable choices include Microsoft Authenticator and Google Authenticator.

2fa login form2FA Login Form

Two factor authentication is time-sensitive. If your server's time is off, 2FA will not work. Make sure you test 2FA out on a test account before enabling it for more users.

Enable The Plugin

Enabling 2FA in Joomla 4 is incredibly easy. There's a core system plugin that's disabled by default titled "Two Factor Authentication - Google Authenticator"

Enable this plugin with the plugin manager.

screenshot of enabling 2fa plugin in plugin managerEnable 2FA

If you open the plugin settings, you have an option to use 2FA on the front end, the back end, or both.

It's up to you where you want to enable 2FA.

2fa settings2FA Plugin Settings

Using 2FA

By default, 2FA is not required, even if the plugin is enabled. It is optional, and users may choose if they want to enable it or not.

For a user to enable 2FA on their account, they must have access to their user profile page. Under the profile settings, an option to use 2FA will appear. Should they select the "Google Authenticator" option, a detailed set of instructions will be displayed, telling the user how to configure their authenticator.

The user will be given a key, or a QR code to scan. They must enter this into their authenticator app.

After adding the key to their authenticator, the user must enter the code generated into the screen and save the page before the code expires (within 30 seconds).

2fa user profileUser Enables 2FA

Encorcing 2FA

The Users component has an option to enforce 2FA on the front end, back end, or both. Once enforced, users in certain selected user groups will be required to use 2FA. If the user does not have 2FA setup, they will be required to set it up next time they login.

This option is at the bottom of the first tab in the User's component options (Admin Menu → Users → Manage → Options).

users component settings

Note that on whatever side of the site the plugin is enabled, all users will see the "secret key" option in the login form. Even if you don't require 2FA for all users, they will still see this box in the login form. If their accounts don't use 2FA, they may still login without entering a secret key. This extra unnecessary field may confuse some users, so I'd advise mentioning about it somewhere or only enabling 2FA in the back end, to avoid confusion.

User Lost Authenticator

If a user loses their 2FA authentication key, and their backup keys (which they should write down after enabling 2FA), only an administrator can reset their account. You can view their profile under the user manager and navigate to the two factor authentication tab. Here, you can manually disable 2FA on their account and they will be prompted to set up the authenticator again when they login. Alternatively, you can send them one of their one time passwords.

Since administrator can view and reset 2FA keys, it's important that the admin accounts themselves are all locked down using 2FA. Do not lose your backup keys for your Super User account, or you will be locked out of your website. Other administrators cannot see or reset the 2FA keys of the Super User.

Super User Lost Authenticator

If your website's only Super User account is locked out because you've lost your 2FA keys, or your server's time is off, your only option is to remove the keys from the server by manually editing the database.

Login to phpMyAdmin, or whatever tool you can use to manage your MySQL database. You will have to do this through your web hosting provider. Open your Joomla database and locate the _users table. Find the row corresponding to your Super User account and edit the row. Find the columns for "otpKey" and "otep" - remove anything that is in these columns (for your Super User only). Save the row.

Now, you should be able to login again without the 2FA code.

Write comments...
You are a guest ( Sign Up ? )
or post as a guest
Loading comment... The comment will be refreshed after 00:00.

Be the first to comment.

Related Guides

Custom User Fields in Joomla
How to configure custom user fields on user profiles in Joomla 4. With detailed explanations of settings, field types, and proper permissions.
Front End User Content Editing in Joomla
Learn how to setup your Joomla website for authors, editors, and publishers to work on articles.
Joomla User Privacy Requests
How to use Joomla's privacy component to manage user account deletion and data export requests.
Chapter 7: Users, Registration, Access and Permissions
A complete overview of how user management, access levels, user groups, and the user registration process works in Joomla 4.
Changing The Default Cassiopeia Favicon
How to change the default favicon in the Joomla 4 Cassiopeia template.
Custom Bootstrap Styles/Variables in your Joomla Template
How to customize Bootstrap to better suit your template using Sass.
Main Menu
Kevin's Guides
Full size image will appear here.