Two factor authentication is one of Joomla! 3 improvements which can and will improve security. This is because by enabling two factor authentication, it is practically impossible for a hacker to use a brute-force attack to guess the details of your Joomla! username and password. This is particulary important for the administrator part of the website, which ensures that attacks which try to guess your password can never be successful.
What is Two Factor Authentication?
Two factor authentication is additional layer of security, which creates a temporary (time-based) password which is unique to a specific username. The key gets discarded (and becomes invalid after literally a few seconds). If you don't have access to this temporary password or secret key, you won't be able to login.
Disabling Two factor Authentication or the Joomla Secret Key
If you've already activated two factor authentication and want to remove it - first of all, you'll need to make sure you have access to the administration (i.e. using a Secret key). Once you have logged in, you only need to disable the two factor authentication plugin from Plugin Manager > (search for) Two Factor > Disable the Two factor Authentication plugin which is enabled. That should be it!
Enabling Two Factor Authentication for Joomla!
So let's how to enable two factor authentication in Joomla. Please note that this is supported as part of the core and does not require any additional Joomla! extension. The secret key is a new field which allows you to enter the temporary key. But where do you actually get the temporary key from?
The first step you need to do is enable two factor authentication by enabling the plugin from the Plugin Manager (Plugin Manager > Two Factor Authentication - Google Authenticator or Yubikey (depends which key generator you plan to use)). You can select whether you want this to be enabled for
- The back-end only (admistrator)
- The front-end only (front-end)
Once you enable the plugin, you will start seeing the secret key field.
Now you need to configure the user via the User Manager. The idea is that now you will need to associate the user with a device which only the specific user has access to. One ubiquitous device which you can use to generate the secret keys is the Google Authenticator. This is a Smartphone App available on the Google Play store or Apple iTunes which is used to generate secret keys to access your Google Account. The Google Authenticator can also double as a secret generator for Joomla too.
Setting up Two Factor Authentication with the Google Authenticator
- Go to the User Manager, click on the user which you want to setup (e.g. the super administrator user)
- (After having enabled the Two Factor Authentication plugin as described above), you will find a new "Two Factor Authentication" tab as can be seen below as part of the parameters of the user
- From the Authentication Method dropdown, choose the Google Authenticator (which is available by default in the Joomla Core installation).
- As soon as you choose the Google Autheticator, you will get detailed steps of how to set this up. If you've used two factor authentication before, you know that this is quite an easy step, which is typically completed by scanning a QR code using the Authenticator app itself (see below)
- Once you scan the code, the Google Authenticator will start generating codes which are specific to that username
- To complete the setup, you'll need to enter one a correct secret code from the Authenticator after the setup
Once all of these steps are done, Two Factor Authentication has been enabled for this user. When you get to the login screen, either in the front-end, or in the back-end (according to what you have chosen), you will need to supply the secret code from your Authenticator, otherwise you won't be able to login.
Recommended Step: Generate a batch of one-time passwords
One time passwords - so what happens if you're Android phone is not available and you lose access to the Authenticator? Do you get locked out of your Joomla website? Not if you do the next steps. The setup of Google Authenticator recommends that you create a batch of one-time passwords. These are secret keys, which can be used only once. You should generate these and store them in a safe place, print them and put them in your wallet, and on your desk, so that if you lose access to your phone, you'll be able to use these one-off secret keys to be able to login, until you regain access to the Authenticator.
Setting up Two Factor Authentication with the YubiKey
If you have access to or have bought a YubiKey for Two Factor authentication, you can also use this with your Joomla website. These are the steps to enable YubiKey two factor authentication with Joomla
- Register for Free to get your Yubico Web Service API Id and Secret key (which you will need later on)
- Download the YubiKey plugin from the Google Code YubiKey project and the YubiKey Authentication component
- Install the authentication plugin via Joomla administration: Extensions > Extension Manager > Upload Package File
- Find the Yubikey authentication plugin from the Plugin Manager > Authentication - Yubikey. You'll need to specify your Yubico Web Service API ID and Secret Key in the plugin settings and save the settings.
- Install the Joomla Yubikey Authentication component via the Extension Manager
- Access the YubiKey Authentication component and add a new Yubikey user with the component.
- Enable the Authentication - Yubikey plugin in the Plugin Manager. Your secret key above is now generated by the YubiKey. You should now be able to connect using YubiKey Two Factor Authentication
- You will also need to disable the standard Joomla authentication plugin which is enabled by default when you install Joomla otherwise the normal Joomla login will still work.