Two factor authentication is one of those Joomla! 3.2 improvements which can and will improve security. This is because by enabling two factor authentication, it is practically impossible for a hacker to use a brute-force attack to guess the details of your Joomla! username and password. This is particulary important for the administrator part of the website, which ensures that attacks which try to guess your password can never be successful. Incidentally, if you want to strongly secure your Joomla website, whilst making it faster, you should read this.
What is Joomla Two Factor Authentication?
Disabling Two factor Authentication or the Joomla Secret Key
If you've already activated two factor authentication and want to remove it - first of all, you'll need to make sure you have access to the administration (i.e. using a Secret key). Once you have logged in, you only need to disable the two factor authentication plugin from Plugin Manager > (search for) Two Factor > Disable the Two factor Authentication plugin which is enabled. That should be it!
If you DO NOT have access to the Administrator / Administration panel of the website because you have enabled 2FA and you know can't login, you'll need to disable it via PHPMyAdmin
- Log in to PHPmyadmin
- Find the table ending in '_extensions' (the first few digits/letters are vary by installation)
- Find the plugin named plg_twofactorauth_totp and change its 'enabled' status from '1' to '0' and save!
This disables the 2FA plugin and thus gets rid of the login with the secret key!
Enabling Two Factor Authentication for Joomla!
So let's how to enable two factor authentication in Joomla. Please note that this is supported as part of the core and does not require any additional Joomla! extension. The following is the normal administrator login (on the left) and the Joomla administrator login with two factor authentication (on the right).
As you can see the secret key is a new field which allows you to enter the temporary key. But where do you actually get the temporary key from?
The first step you need to do is enable two factor authentication by enabling the plugin from the Plugin Manager (Plugin Manager > Two Factor Authentication - Yubikey or Google Authenticator (depends which key generator you plan to use)). You can select whether you want this to be enabled for
- The back-end only (admistrator)
- The front-end only (front-end)
Once you enable the plugin, you will start seeing the secret key field.
Now you need to configure the user via the User Manager.
The idea is that now you will need to associate the user with a device which only the specific user has access to. One ubiquitous device which you can use to generate the secret keys is the Google Authenticator. This is a Smartphone App available on the Google Play store or Apple iTunes which is used to generate secret keys to access your Google Account. The Google Authenticator can also double as a secret generator for Joomla too. To setup the Authenticator as your Authentication Method, you need to perform the following steps:
Setting up Two Factor Authentication with the Google Authenticator Joomla
- Go to the User Manager, click on the user which you want to setup (e.g. the super administrator user)
- (After having enabled the Two Factor Authentication plugin as described above), you will find a new "Two Factor Authentication" tab as can be seen below as part of the parameters of the user
- From the Authentication Method dropdown, choose the Google Authenticator (which is available by default in the Joomla Core installation).
- As soon as you choose the Google Autheticator, you will get detailed steps of how to set this up. If you've used two factor authentication before, you know that this is quite an easy step, which is typically completed by scanning a QR code using the Authenticator app itself (see below)
- Once you scan the code, the Google Authenticator will start generating codes which are specific to that username
- To complete the setup, you'll need to enter one a correct secret code from the Authenticator after the setup
Final Recommended Step: Generate a batch of one-time passwords
One time passwords - so what happens if you're Android phone is not available and you lose access to the Authenticator? Do you get locked out of your Joomla website? Not if you do the next steps. The setup of Google Authenticator recommends that you create a batch of one-time passwords. These are secret keys, which can be used only once. You should generate these and store them in a safe place, print them and put them in your wallet, and on your desk, so that if you lose access to your phone, you'll be able to use these one-off secret keys to be able to login, until you regain access to the Authenticator.
Setting up Two Factor Authentication with the Joomla YubiKey
- Register for Free to get your Yubico Web Service API Id and Secret key (which you will need later on)
- Download the YubiKey plugin from the Google Code YubiKey project and the YubiKey Authentication component
- Install the authentication plugin via Joomla administration: Extensions > Extension Manager > Upload Package File
- Find the Yubikey authentication plugin from the Plugin Manager > Authentication - Yubikey. You'll need to specify your Yubico Web Service API ID and Secret Key in the plugin settings and save the settings.
- Install the Joomla Yubikey Authentication component via the Extension Manager
- Access the YubiKey Authentication component and add a new Yubikey user with the component.
- Enable the Authentication - Yubikey plugin in the Plugin Manager. Your secret key above is now generated by the YubiKey. You should now be able to connect using YubiKey Two Factor Authentication
- You will also need to disable the standard Joomla authentication plugin which is enabled by default when you install Joomla otherwise the normal Joomla login will still work.
Hope that's been helpful, if you like it please share :)