Enabling Two-Factor Authentication in Joomla
Joomla is just one of many content management systems that allow Two-Factor Authentication, but what sets it apart from the other CMSs is that it was the first to implement the security practice. However, the Two-Factor Authentication methods for Joomla can differ from other platforms, such as WordPress where there are dozens of plugins that can perform the function. Nonetheless, the two-factor authentication methods that are usable in Joomla are, perhaps, the most secure.
You see, you usually go to a website and enter a username and password to log in and that’s all you have to do. Unfortunately, this isn’t the most secure approach because usernames and passwords can be acquired by hackers. This is sometimes the case when a computer is infected with certain types of viruses. When a username and password is taken, the website is vulnerable. Two-Factor Authentication makes it much harder for a hacker to access the backend of a website.
How to Enable Two-Factor Authentication
Enabling Two-Factor Authentication isn’t too difficult. Right after you install Joomla 3.2 or higher, you will notice a post-installation message on the backend of the site that says nothing about Two-Factor Authentication. You have to click “Review Messages” in order to see that Two-Factor Authentication is available to you. There will be an “Enable Two-Factor Authentication” button waiting for you to click. This starts the process.
Using the User Manager
The User Manager is where you really start putting Two-Factor Authentication to work. You will need to “edit user.” In other words, you can edit the user profile of anyone who has backend access to the website so that Two-Factor Authentication is specific to that user. Because you want to increase website security, you will most likely want to enable this security feature for all user groups that have any level of administrative access to the backend of the website.
Once you are in the User Manager, you will click the Two-Factor Authentication tab and then you will utilize one of the two authentication methods. The first is Google Authenticator and the second is Yubikey.
Using Google Authenticator
Google Authenticator is a smartphone and desktop application that generates a six-digit security code every 30 seconds. This means that it doesn’t stay the same long enough for a hacker to figure it out and infiltrate the website. The number remains just long enough for you to log into your website. So instead of just entering your username and password, you also enter the six-digit security code generated by the app.
To get Google Authenticator, you will need to download the application. Once it is installed, you will go to your User Manager tab, which brings us back to the part mentioned earlier about there being two types of authentication. The types are listed in a drop-down menu labeled “Authentication Method.” To use Google Authenticator after its installation, you will choose it from the drop-down menu.
When you install Google Authenticator on your desktop, you can scan the QR code with your mobile phone so you can sync your devices. This will make it possible for you to generate the six-digit code needed for login whether you are logging in on your desktop or mobile phone.
After you have done this, you will have to activate Two-Factor Authentication in order for it to work for you. There is an “Activate Two-Factor Authentication” field in which you will enter a six-digit security code that will be displayed on your smartphone’s screen or in your Google Authenticator desktop app. You can then save and close.
There is one thing to know about activation and that is that a set of one-time emergency passwords will be created. You will want to print these passwords so you have them whenever you need them. You will find these passwords on the User Manager screen under the Two-Factor Authentication tab. They are useful when you are not able to use Google Authenticator for any reason and they are destroyed upon use.
After activation, the Google Authenticator app will show the six-digit code that you will have to enter when logging into Joomla. Keep in mind that Google Authenticator is running on its own either through the desktop or mobile application, so the code will be on the Google Authenticator screen and you only have 30 seconds to log in from the time the code is generated. For example, you can generate the code on your mobile phone and then enter it into the “Secret Key” field when logging into your desktop. However, be mindful of any time lapses that may require more than one attempt when pulling your code from a device other than the one you’re using. If you need to log into your site on your phone, you will login from your phone’s browser, but the code will be displayed in the Google Authenticator app. The same concept applies to when you use the desktop application to generate a code that you can enter into the Secret Key field of your Joomla login screen while working on your desktop.
Using Yubikey for Two-Step Authentication
The Yubikey secure hardware token can be used if that is the method you prefer. You will need to acquire a Yubikey USB device that you have to plug into your USB port before logging in. When logging into your Joomla site, you will click the Secret Key field in the login area and then touch the Yubikey gold disk to complete login. If you wish to log in using a mobile phone, you will need an NFC-equipped Android device so the NFC reader can copy the secret code from a compatible Yubikey token, such as Yubikey Neo. The code is copied to the mobile device’s clipboard, but keep in mind that the code constantly changes so you have the protection you need against hackers that may acquire your password.
Just as you chose the Two-Factor Authentication tab in the User Manager screen, you will do the same when enabling Yubikey. Simply choose it from the Authentication Method drop-down screen so that Joomla knows that that is what you are going to use. You then follow the steps of activation.
Disabling Two-Factor Authentication
If you wish to disable two-factor authentication, you can log into the Joomla administrator and click “Plugin Manager under “Extensions.” You will find “Two-Factor Authentication” and then you will choose the authentication method that you are using. You then click “disable” and Two-Factor Authentication will no longer be in use.
So when you want added security, you have these two very solid two-step authentication methods to protect your Joomla website from malicious hackers. Both are reliable methods, but which you choose is entirely up to you and your individual needs.
Drag and drop interface to built responsive joomla Templates with Joomla template creator