Joomla Two-Factor Authentication

The importance of two-factor authentication simply cannot be overstated. Why? Because the majority of passwords people use are not strong enough to protect their accounts. Fortunately, Joomla has been offering two-factor authentication ever since the 3.2 version became available to consumers. In fact, Joomla is one of the first CMS to actually implement it as a part of their security options.

What two-factor authentication does is it increases your Joomla website’s security by making it impossible for hackers to brute-force your password. But why two-factor authentication and what are the ways to enable it on your Joomla website?

Why two-factor authentication?

When it comes to passwords, most people use their names or the names of their loved ones, frequent dictionary words, significant dates, and personal mobile numbers without giving too much thought regarding their effectiveness. Truth be told, the average person rarely uses the recommended mix of uppercase and lowercase letters, numbers and special characters, let alone changing it once in a while. This is exactly the reason why your Joomla website needs an additional layer of security, the two-factor authentication.

What exactly is two-factor authentication?

Normally, you only need a username and a password to log into your Joomla website. Two-factor authentication or 2FA for short is used to create an additional, time-based password that will be unique to your specific username and the device you’re using. The additional password is valid only for a short period of time before it becomes invalid and gets discarded. If you, for whatever reason, do not have access to your 2FA password, you will not be able to login into your account.

How to enable two-factor authentication

Enabling the two-factor authentication is quite simple actually and can be accomplished in three different ways, using:

  • Google Authenticator
  • Joomla YubiKey or
  • LoginTC Joomla plugin

Once you’ve installed Joomla and accessed your backend, you’ll be greeted with a notice regarding post-installation messages. Clicking on the “Review Messages” button will lead you to a new screen telling you that 2FA is available. From there, you can click on the blue “Enable two-factor authentication” or, alternatively, open up the User Manager and you will see the 2FA tab.

If you don’t see the 2FA tab, then it might be possible that you haven’t enabled the associated plugin. If that is the case, open up your Plugin Manager and locate the “Two Factor” plugins. Normally, there are two plugins available: one for Google Authenticator and one for YubiKey. Enable the one you plan on using, go back to your User Manager and check whether the 2FA option is available.

Enabling 2FA using Google Authenticator

Google Authenticator is a desktop and smartphone app developed by Google which allows you to create six-digit passwords that change every 30 seconds. When 2FA is enabled, logging into your account will require your username, password, and the six-digit temporary password. It can be enabled for the backend, frontend or both, all of which can be set up using the plugin itself. But first, you need to download Google Authenticator and install it on your desktop or smartphone.

Once installed, you will notice a QR code you need to scan either with your smartphone’s default QR scanner or using Google Authenticator’s inbuilt scanner. Some prefer using Google, but there are those who prefer using a dedicated app built just for 2FA.

Have in mind that developing such an app might not be that difficult, but you are dealing with your website security. This is why it may be better to go through a list of app design companies and find the one that will not only help you with your 2FA efforts but is also best suited for your company and its budget options.

Once the QR code is scanned, the app will start generating temporary codes that are specific to your username. Enter the secret code into the Joomla 2FA setup and click “Save & Close”. Now, every time you try to log into your account, Joomla will be asking for the additional, six-digit password. Google 2FA also allows you to create a batch of one-time passwords in case your phone is not available, or even worse, it has been stolen.

Enabling 2FA using Joomla YubiKey

Enabling Joomla’s YubiKey is quite similar to enabling Google 2FA. First, you need to register (for free) to get your Yubico API ID and secret key and download the YubiKey 2FA plugin. Install the plugin and find it using the Plugin Manager in order to add your Yubico API ID and secret key.

Install the YubiKey Authentication component using the Extension Manager and add the new user with said component. After that, all you need to do is to enable the YubiKey plugin and disable the standard Joomla authentication plugin to prevent the normal login from working.

As you can see, enabling two-factor authentication is as simple as it is effective. As a website admin, it is recommended that you always enable two-factor authentication in order to protect both yours and the data of your users. It’s free and it only takes a couple of minutes, so make sure to enable 2FA on your Joomla website!