Joomla two-factor authentication is one of those Joomla project improvements which can and will improve security. This is because by enabling two-factor authentication, it is practically impossible for a hacker to use a brute-force attack to guess the details of your Joomla! username and password.
This is particularly important for the administrator part of the website, which ensures that attacks that try to guess your password can never be successful. Incidentally, if you want to strongly secure your Joomla website, whilst making it faster, you should read this.
What is Joomla Two Factor Authentication?
Joomla 3 two-factor authentication is an additional layer of security, which creates a temporary (time-based) password that is unique to a specific username and your website. The key gets discarded (and becomes invalid after literally a few seconds). If you don't have access to this temporary password or secret key, you won't be able to log in.
If you want to make your website more secure, in terms of login credentials, 2FA is the way to go.
Disabling Two-factor Authentication or the Joomla Secret Key
We're going to discuss two ways of disabling 2FA in Joomla, one is if you still have access to a secret key or your authenticator and are still able to generate secret keys. The 2nd is a way to disable even if you have lost access to your secret key mechanism.
With Access to Secret Key
If you've already activated two-factor authentication and want to remove it, first of all, you'll need to make sure you have access to the administration (i.e. using a Secret key).
- Log in to the Joomla Administrator with the secret key,
- Disable the two-factor authentication plugin from Extensions > Plugins
- Search for Two Factor, then Disable the Two-factor Authentication plugin which is enabled.
No Access to Secret Key
If you DO NOT have access to the Administrator / Administration panel of the website because you have enabled 2FA and you know can't log in, you'll need to disable it via PHPMyAdmin
- From your hosting account log into PHPMyAdmin
- Find the table ending in '_extensions' (the first few digits/letters vary by installation)
- Find the plugin named plg_twofactorauth_totp and change its 'enabled' status from '1' to '0'
- Save
This disables the 2FA plugin and thus gets rid of the login with the secret key.
Enabling Two Factor Authentication for Joomla!
So let's how to enable two-factor authentication in Joomla.
Please note that this is supported as part of the core and does not require any additional Joomla! extension. The following is the normal administrator login (on the left) and the Joomla administrator login with two-factor authentication (on the right).
As you can see the secret key is a new field that allows you to enter the temporary key.
But where do you actually get the temporary key from?
The first step you need to do is enable two-factor authentication by enabling the plugin from the Plugin Manager (Plugin Manager > Two Factor Authentication - Yubikey or Google Authenticator (depends which key generator you plan to use)).
You can select whether you want this to be enabled for
- The back-end only (administrator)
- The front-end only (front-end)
- Both
Once you enable the plugin, you will start seeing the secret key field.
Now you need to configure the user via the User Manager.
The idea is that now you will need to associate the user with a device that only the specific user has access to. One ubiquitous device which you can use to generate the secret keys is the Google Authenticator.
This is a Smartphone App available on the Google Play Store or Apple iTunes which is used to generate secret keys to access your Google Account. The Google Authenticator can also double as a secret generator for Joomla too.
To set up the Authenticator as your Authentication Method, you need to perform the following steps:
Setting up the Joomla Google Authenticator
- Go to the User Manager, click on the user which you want to set up (e.g. the super administrator user)
- After having enabled the Two Factor Authentication plugin as described above, you will find a new "Two Factor Authentication" tab as can be seen below as part of the parameters of the user
- From the Authentication Method dropdown, choose the Google Authenticator (which is available by default in the Joomla Core installation).
- As soon as you choose the Google Authenticator, you will get detailed steps on how to set this up. If you've used two-factor authentication before, you know that this is quite an easy step, which is typically completed by scanning a QR code using the Authenticator app itself (see below)
- Once you scan the code, the Google Authenticator will start generating codes which are specific to that username
- To complete the setup, you'll need to enter one a correct secret code from the Authenticator after the setup
Once all of these steps are done, Two Factor Authentication has been enabled for this user. When you get to the login screen, either in the front-end or in the back-end (according to what you have chosen), you will need to supply the secret code from your Authenticator, otherwise, you won't be able to log in.
How to Generate A Joomla Secret Key
You cannot generate a Joomla secret key without going through the above process of associating a username with a specific Joomla Google Authenticator account.
Once you've been through this process, generating a secret key is simple. You can access the Authenticator from your phone, and read off the Secret Key that is generated for the account.
Remember that each key is only valid for about 30 seconds, then a new one is generated.
Final Step: Generate a batch of one-time passwords
So what happens if your Android phone is not available and you lose access to the Authenticator? Do you get locked out of your Joomla website?
Not if you do the next steps.
The setup of Google Authenticator recommends that you create a batch of one-time passwords. These are secret keys, which can be used only once.
You should generate these and store them in a safe place, print them and put them in your wallet, and on your desk, so that if you lose access to your phone, you'll be able to use these one-off secret keys to be able to log in, until you regain access to the Authenticator.
Setting up Two Factor Authentication with the Joomla YubiKey
If you have access to or have bought a YubiKey for Two Factor authentication, you can also use this with your Joomla website. These are the steps to enable YubiKey two factor authentication with Joomla
- Register for Free to get your Yubico Web Service API Id and Secret key (which you will need later on)
- Download the YubiKey plugin from the Google Code YubiKey project and the YubiKey Authentication component
- Install the authentication plugin via Joomla administration: Extensions > Extension Manager > Upload Package File
- Find the Yubikey authentication plugin from the Extensions > Plugins > Authentication - Yubikey. You'll need to specify your Yubico Web Service API ID and Secret Key in the plugin settings and save the settings.
- Install the Joomla Yubikey Authentication component via the Extension Manager
- Access the YubiKey Authentication component and add a new Yubikey user with the component.
- Enable the Authentication - Yubikey plugin in the Plugin Manager. Your secret key above is now generated by the YubiKey. You should now be able to connect using YubiKey Two Factor Authentication
- You will also need to disable the standard Joomla authentication plugin which is enabled by default when you install Joomla otherwise the normal Joomla login will still work.
Frequently Asked Questions
What is two-factor or 2FA authentication?
Two-factor authentication is a security mechanism that adds an additional variable to a username and password, a 3rd field which is generated by a device that is available only to a specific user. For example, with Joomla, you can use the Google Authenticator to generate the secret key associated only with your user. You might have seen 2FA used with your online banking too, or to sign/verify VISA transactions.
Why is two-factor authentication used?
The combination of user + password can be guessed using a variety of techniques such as phishing, using known usernames and password, social engineering, or simply through brute force, or a combination of the above. By using two-factor authentication, you introduce a third parameter that only the user has access to. So even if the username/password is available, the secret key will only be available to the user of the account who has the secret key generator.
Is two-factor authentication safe?
While no security mechanism is 100% full-proof and hackers have been found to be able to find ways and means around 2FA, using it and enabling it much safer than not using it.
Hope that's been helpful, if you like it please share :)
Please leave a useful comment with your thoughts, then share this on your Facebook group(s) who would find this useful and let's reap the benefits together. Thank you for sharing and being nice!
Disclosure: This page may contain links to external sites for products which we love and wholeheartedly recommend. If you buy products we suggest, we may earn a referral fee. Such fees do not influence our recommendations and we do not accept payments for positive reviews.