A Web Blog by People Who Care

4Web creates highly customized websites using Joomla! and WordPress. We use open source software to meet our clients' online business goals and marketing objectives. Experience, honesty and ingenuity are the foundation of our approach for creating engaging, responsive and strategic online business solutions. We take being part of the Web community seriously so we make sure to take the time to share some our findings here.

Double your Joomla security with Two Factor Authentication in Joomla 3

With the release of Joomla 3.2 this month, one of the major new features is the introduction of two factor authentication. Now you can take an additional step against website hackers gaining access to your website without your knowledge.

Can’t I just reset my password?

Certainly! Strong passwords are essential. However, resetting your password won’t always help. This article by Lifehacker outlines some of the reasons for and against frequent password changes. Essentially, it should be one tool in your security toolbox, but not the only tool. And here’s where two factor authentication comes into play.

What is Two Factor Authentication?

Two factor authentication is a security technique which involves using two separate types of identification. Typically this is a website password and another string of text, either randomly generated (using something like a Yubikey) or something chosen by the user (such as a unique image). The process can be related to withdrawing money from an ATM; the user provides a physical bank card along with a pin to access that account. The card stores the information for the account, but that is really only for convenience: it could need to be entered separately, which would provide a third factor of security.

How does Two Factor Authentication work in Joomla 3?

Joomla 3.2 introduces two ways that a user can set up two factor authentication, using Google Authenticator or using a Yubikey. It works much like any other web-based two factor authentication system. When using Google Authenticator, you set up the Google Authenticator app on a mobile device and it provides a code used to confirm your identity. A Yubikey is a physical USB device that authenticates using the Yubikey servers and a randomly generated string of character.

Setting up Two Factor Authentication in Joomla 3

  1. After installing Joomla 3.2, log in to the administration area.j2f-1-login
  2. If you haven’t set up two factor authentication, you will be presented with an alert saying there are new post-installation messages awaiting your response. Click to see those messages.j2f-2-messages
  3. There are two messages awaiting attention here: Two Factor Authentication and Strong Passwords (though this article is about two factor authentication, forcing strong passwords is strongly recommended as well). Click to enable Joomla two factor authentication.j2f-3-enable
  4. You will now be redirected to your user profile page. Look, a new tab! You should click it.j2f-4-newTab
  5. On the two factor authentication tab you can select which two factor authentication method you would like to use.j2f-5-disabled

Joomla Two Factor Authentication Using Google Authenticatorj2f-6-google

You will need to download the appropriate Google Authenticator application to your smartphone or other device. There are many versions available on the Google Authenticator website. All the numbers generated are time sensitive so once enabled, you could hand out your password to anyone and they still wouldn’t be able to log in.

  1. j2f-p1-googleAuthOnce you have the Google Authenticator application installed, you will be able to create an account. If you have a QR scanner installed on your device, you can connect your account using that method. Otherwise, enter your account information in the application as it is given on the Joomla Two Factor Authentication page.j2f-p2-addAccount
  2. The application will then start generating a number every 30 seconds and displaying it. Enter this number in you Joomla profile window and click Save. Two Factor Authentication is now enabled!j2f-p4-enterCode
    j2f-7-auth
  3. Log out. You will see a new box on the login screen. This will appear for every user, but only those with two factor authentication enabled will need to fill in this field.
  4. Enter your username, password, and Google Authenticator code that is regenerated every 30 seconds. Success!j2f-8-authSuccess

Joomla Two Factor Authentication Using a YubiKeyj2f-6-yubi

yubikeyFirst, you need to purchase a Yubikey. It is a one time purchase, and can be used as a two factor authenticator for many other web services, including Lastpass, other CMS systems, computer logins and encryption. You can order one at the Yubikey website.

  1. Plug in your Yubikey and click on the box for the Security Code under Set up.j2f-6-yubiSecurityCode
  2. Press the touch sensor on the Yubikey for 2 seconds to enter its unique, random code.
  3. Click Save and Close. Two factor authentication is now enabled with the Yubikey.
  4. Log out. You will now see a new box on the login screen. This will appear for every user, but only those with two factor authentication enabled will need to fill in this field.
  5. Enter your username and password. With the cursor in the Secret Key field, press the touch sensor on the Yubikey for 2 seconds to enter your unique, random code. The form will then submit and you will be logged in. Success!

One Time Emergency Passwords

If you have two factor authentication enabled (and you should by now, shouldn’t you?) but do not have access to your two factor authenticator (your phone or Yubikey), you have the option to use a one time emergency password.j2f-9-onetime

After you have enabled two factor authentication, you will see some emergency one time passwords at the bottom of the Two Factor Authentication tab in your User Profile. Joomla recommends printing these and keeping them somewhere secure. These can only be used once each, so be sure to use them only if you do not have access to your normal authentication method.

Go to it

So what’s not to love? Far more security with very little effort. So go get your Joomla two factor authentication today! Of course, you could always contact 4web to get more information about upgrading your Joomla security too.

Nicholas Dionysopoulos of Akeeba Backup has an excellent video walkthrough of how to set up Google Authentication in Joomla 3.2.