How to Enable, disable and use Joomla 2 Factor Authentication

Two factor authentication is one of those Joomla! 3.2 improvements which can and will improve security. This is because by enabling two factor authentication, it is practically impossible for a hacker to use a brute-force attack to guess the details of your Joomla! username and password. This is particulary important for the administrator part of the website, which ensures that attacks which try to guess your password can never be successful. Incidentally, if you want to strongly secure your Joomla website, whilst making it faster, you should read this.

Joomla two factor authentication

What is Joomla Two Factor Authentication?

Joomla Two factor authentication is additional layer of security, which creates a temporary (time-based) password which is unique to a specific username. The key gets discarded (and becomes invalid after literally a few seconds). If you don't have access to this temporary password or secret key, you won't be able to login.

Disabling Two factor Authentication or the Joomla Secret Key

If you've already activated two factor authentication and want to remove it - first of all, you'll need to make sure you have access to the administration (i.e. using a Secret key). Once you have logged in, you only need to disable the two factor authentication plugin from Plugin Manager > (search for) Two Factor > Disable the Two factor Authentication plugin which is enabled. That should be it!

 

If you DO NOT have access to the Administrator / Administration panel of the website because you have enabled 2FA and you know can't login, you'll need to disable it via PHPMyAdmin 

  • Log in to PHPmyadmin
  • Find the table ending in  '_extensions' (the first few digits/letters are vary by installation)
  • Find the plugin named plg_twofactorauth_totp and change its 'enabled' status from '1' to '0' and save!

This disables the 2FA plugin and thus gets rid of the login with the secret key!

Disable Joomla Two Factor Authentication Plugin

Enabling Two Factor Authentication for Joomla!

So let's how to enable two factor authentication in Joomla. Please note that this is supported as part of the core and does not require any additional Joomla! extension. The following is the normal administrator login (on the left) and the Joomla administrator login with two factor authentication (on the right). 

Joomla Administrator Login NormalJoomla Administrator With SecretAs you can see the secret key is a new field which allows you to enter the temporary key. But where do you actually get the temporary key from? 

The first step you need to do is enable two factor authentication by enabling the plugin from the Plugin Manager (Plugin Manager > Two Factor Authentication - Yubikey or Google Authenticator (depends which key generator you plan to use)). You can select whether you want this to be enabled for

  1. The back-end only (admistrator)
  2. The front-end only (front-end)
  3. Both

Once you enable the plugin, you will start seeing the secret key field.

Now you need to configure the user via the User Manager. 

The idea is that now you will need to associate the user with a device which only the specific user has access to. One ubiquitous device which you can use to generate the secret keys is the Google Authenticator. This is a Smartphone App available on the Google Play store or Apple iTunes which is used to generate secret keys to access your Google Account. The Google Authenticator can also double as a secret generator for Joomla too. To setup the Authenticator as your Authentication Method, you need to perform the following steps:  

Setting up Two Factor Authentication with the Google Authenticator Joomla

  • Go to the User Manager, click on the user which you want to setup (e.g. the super administrator user)
  • (After having enabled the Two Factor Authentication plugin as described above), you will find a new "Two Factor Authentication" tab as can be seen below as part of the parameters of the user
  • From the Authentication Method dropdown, choose the Google Authenticator (which is available by default in the Joomla Core installation).
  • Two Factor Authentication With Google AuthenticatorAs soon as you choose the Google Autheticator, you will get detailed steps of how to set this up. If you've used two factor authentication before, you know that this is quite an easy step, which is typically completed by scanning a QR code using the Authenticator app itself (see below)
  • Once you scan the code, the Google Authenticator will start generating codes which are specific to that username Setting up the Google Authenticator with a QR Code
  • To complete the setup, you'll need to enter one a correct secret code from the Authenticator after the setup

Activate Two Factor Authentication

Once all of these steps are done, Two Factor Authentication has been enabled for this user. When you get to the login screen, either in the front-end, or in the back-end (according to what you have chosen), you will need to supply the secret code from your Authenticator, otherwise you won't be able to login.

Final Recommended Step: Generate a batch of one-time passwords

One time passwords - so what happens if you're Android phone is not available and you lose access to the Authenticator? Do you get locked out of your Joomla website? Not if you do the next steps. The setup of Google Authenticator recommends that you create a batch of one-time passwords. These are secret keys, which can be used only once. You should generate these and store them in a safe place, print them and put them in your wallet, and on your desk, so that if you lose access to your phone, you'll be able to use these one-off secret keys to be able to login, until you regain access to the Authenticator.

Let's help you manage your Joomla better

joomla

Free Joomla tips ebook button

Setting up Two Factor Authentication with the Joomla YubiKey

If you have access to or have bought a YubiKey for Two Factor authentication, you can also use this with your Joomla website. These are the steps to enable YubiKey two factor authentication with Joomla

  1. Register for Free to get your Yubico Web Service API Id and Secret key (which you will need later on)
  2. Download the YubiKey plugin from the Google Code YubiKey project and the YubiKey Authentication component
  3. Install the authentication plugin via Joomla administration: Extensions > Extension Manager > Upload Package File  
  4. Find the Yubikey authentication plugin from the Plugin Manager > Authentication - Yubikey. You'll need to specify your Yubico Web Service API ID and Secret Key in the plugin settings and save the settings.
  5. Install the Joomla Yubikey Authentication component via the Extension Manager
  6. Access the YubiKey Authentication component and add a new Yubikey user with the component.
  7. Enable the Authentication - Yubikey plugin in the Plugin Manager. Your secret key above is now generated by the YubiKey. You should now be able to connect using YubiKey Two Factor Authentication
  8. You will also need to disable the standard Joomla authentication plugin which is enabled by default when you install Joomla otherwise the normal Joomla login will still work.

Hope that's been helpful, if you like it please share :)

One more thing...

Do you have friends or a Facebook group who you think would find this useful? Share this with them and then let me know what they think.

Want to supercharge your website?

  Our website loads FAST ... just 1.29 seconds. We're hosted on FAST InMotion servers We want YOUR website to be fast too, so we've gotten you an exclusive deal - 47% OFF for DART Creations friends + FREE domain! Check it out NOW!

Translate

who are we?

DART Creations is run by David Attard - working in and around the web design niche for more than 12 years, we provide actionable tips for people who work with and on websites. We also run DronesBuy.net - a website for drone hobbyists

David attard

Follow us on Social

         

 

 

 

Popular Content

Joomla extensions to take your website to the NEXT level

Is your Joomla website reaching its full potential? We install many of these extensions on almost ALL of our Joomla sites - why don't you check them out our list of Joomla Extensions and see whether you can take your site to the next level?

Where are we hosted?

This site is proudly powered by FAST VPS InMotion Servers and given an insane speed thanks to MaxCDN!

Web Hosting MaxCDN - Speed up your website

 

InMotion Hosting Review - Recommended Web Hosting servers for business, Joomla, WordPress and ecommerce websites.

InMotion Hosting Review

Advertise on DART-Creations.com

DART Creations is interested in developing partnerships with mutual benefit. If you like the stuff we publish and would like to develop a relationship, we'd be happy to hear from you. Go on - drop us a line - we'd love to hear from you :-)

The Outstanding october Bundle

AWESOMENESS! Bundles of premium font + graphic packs at more than 96% OFF!  Get this bundle for just $29 - This month ONLY!

The Hungry JPEG Awesome font bundles

New! DIVI 3.0 WordPress TeMPLATE + PageBuilder - 10% OFF Limited Launch offer

You'll surely create a perfect website with Divi 3.0!

Divi 3