Enabling Two Factor Authentication(TFA) – Joomla

What is Two Factor Authentication on Joomla ?

Two Factor Authentication (TFA) is a 100% Open Source, free to use security system for your Joomla site’s backend. Two Factor Authentication works in collaboration with the Google’s famous Authenticator App

Why Two Factor Authentication for Joomla ?

Installing this app adds an extra layer of security in addition to the Joomla’s login system (front-end as well as back-end).

If anybody gains your admin or site member’s login credentials and try to attempt login then another module of Two factor Authentication will pop up instantly and it will ask for a unique Time-based One-Time Password (TOTP) which will be generated only on your Cellphone via Google’s Authenticator App. So, this new layer will add up to the strength of the security at your end.

Two Factor Authenticator secures the signing in process using 2 constants-
+ Something you know i.e. your site’s backend password.
+ Something you have i.e. your mobile phone (to generate the one time code).

This article will explain how to Enable, configure, and use the basic options in the Two Factor Authentication.

Traditionally, when you want to log in to a website, you have to provide your username and your password in order to identify yourself to the system.The biggest problem with this approach is your username and password can be stolen or guessed. For example, if your computer is infected with malware or you try to access your site from an untrusted network, such as a public WiFi hotspot, it is possible someone could intercept your username and password. This means they can log into your site as you. Because your username and password is compromised, your site can now be hacked.

Enable Two-Factor Authentication

The very first time you’re installing Joomla! 3.2 or higher, and access your backend, you’ll see a notice about post-installation messages.

Click on the Read Messages button, you’ll see a screen which indicates that Two-Factor Authentication is Available. Click on the Enable Two-Factor Authentication button.

To set up the Two-Factor Authentication, go to the User Manager, edit a User and go to the Two-Factor Authentication Tab:

This feature allows you to use Google Authenticator, or a compatible application, for two factor authentication. In addition to your username and password you will also need to provide a six digit security code generated by Google Authenticator to be able to login to this site. The security code is rotated every 30 seconds. This provides extra protection against hackers logging in to your account even if they were able to get hold of your password.

Google Authenticator

Google Authenticator is an application for smartphones and desktops created by Google which allows you to generate a six digit security password which changes every 30 seconds. In order to log in to your site, you’ll need to use your username, your password and the six digit security code which changes every thirty seconds.

You can enable Two-Factor Authentication for the Frontend, the Backend or for Both. This can be set up in the plug-in Two-Factor Authentication – Google Authenticator.

This provides extra protection against hackers trying to log in to your account. Even if they were able to get hold of your credentials they have a maximum 30s to hack your site. This is usually not practical for hackers. In this way, the Two-Factor Authentication prevents your site against unauthorized access.

Setting up the Two-Factor Authentication with Google Authenticator is actually really easy.

Step 1 – Get Google Authenticator

Download and install Google Authenticator, or a compatible application, on your smartphone or desktop. Use one of the following:

Please remember to sync your device’s clock with a time-server. Time drift in your device may cause an inability to log in to your site.

Step 2 – Set up

You can see a QR Code to scan with a mobile phone with the application of Google Authenticator installed.

Step 3 – Activate Two-Factor Authentication

In order to verify that everything is set up properly, please enter the security code displayed in Google Authenticator in the field below and select the button. If the code is correct, the Two Factor Authentication feature will be enabled.

One time emergency passwords
If you do not have access to your two factor authentication device you can use any of the following passwords instead of a regular security code. Each one of these emergency passwords is immediately destroyed upon use. We recommend printing these passwords out and keeping the printout in a safe and accessible location, eg your wallet or a safety deposit box.

There are currently no emergency one time passwords generated in your account. The passwords will be generated automatically and displayed here as soon as you activate two factor authentication.

Now, your site access is protected by Two-Factor Authentication. Log out from your backend, you’ll see that instead of asking for the username and password only, Joomla! is asking for a secret key. The Secret Key is the six digit password you can see on your Google Authenticator screen.

If you don’t enter the secret code or a random one, you won’t be able to login. This is what will happen to a hacker who tries to access your backend, since they don’t have the correct secret key.

tech@squarebrothers.com'About Tutor

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.