Secure your Joomla! website with two-factor authentication

Since the release of Joomla! 3.2 way back at the end of 2013 it’s been possible to protect Joomla-based websites with a special authentication method called two-factor authentication (or 2FA for short). The concept of two-factor authentication is to provide an additional layer of security by requiring the use of two different components before you can access your website.

With Joomla! the first component is always a regular user password, but the second one may vary depending on your preferred solution. Adding a secondary factor to your authentication process provides a substantial security boost for your site, and makes it almost impossible for hackers to gain access to your site via dictionary attacks; that is, successfully bypassing password requests by attempting millions of likely possibilities (such as words from a dictionary, hence the name) via automated means, which, as you can imagine, is just a little bit faster than manually trying to guess a password! This is why its generally accepted that passwords should contain a combination of upper and lower-case, numbers and special characters; it makes it much harder for a dictionary attack to successfully guess.

Back to the topic at hand; chances are you’ve used two-factor authentication somewhere in your daily life. Services like Gmail include an option for receiving an SMS code after logging in with your username and password that must be entered before you can access your email, and most banks demand some kind of additional security layer, whether it’s secondary information such as passphrases, or card readers that output special codes when your PIN in entered. There’s no doubt it’s a safer way to login, so why not use this method in Joomla?

Joomla! and two factor authentication

Before Joomla! 3.2 came along there wasn’t any built-in mechanism to secure your website with a secondary authentication option. However, as we’ve come to expect from the Joomla community, there were of course a number of third-party plugins available that extended your authentication options. One of the most well-known plugins was the 2FA plugin from Akeeba (well-known nowadays for their impressive Akeeba Backup extension), which was later incorporated into the Joomla! core. As a little aside that’s well worth mentioning; Joomla! is the first major CMS with 2FA working out of the box. As access to the Joomla! back-end as a Super User (Administrator) includes the ability to do pretty much anything with a website it’s a good idea to, at the very least, consider utilizing 2FA for super admins. Now, whereas usernames and passwords can be stored in a password manager or by the browser itself for fast logins, with 2FA it’s inevitably going to be a little bit inconvenient. Still, security of your website makes this extra step worthwhile, and the options available for Joomla are a bit easier than copying an SMS code. Also, don’t forget that it’s not always necessary to use a Super User account for day-to-day tasks like posting articles; keeping lesser accounts for such tasks means you don’t always have to deal with the extra authentication when you’re making minor changes.

What 2FA methods can be used in Joomla?

If you already have a Joomla! version higher than 3.2 on your site (and we really recommend that you do, since the smaller, more regular releases of the modern Joomla roadmap mean there’s less risk involved when upgrading compared to earlier versions), then there’s two options available for your secondary factor authentication. In Joomla! there are authentication-type plugins which provide this extra security. Basically, you can choose between: * Google Authenticator * Yubikey authentication

These methods may be turned on/off on a per user basis, so you can restrict certain users whilst leaving others with standard login methods. This is a really flexible system, especially when using the Yubikey method that requires an extra device (which we’ll explain shortly!). What’s more, Joomla allows you to turn on two-factor authentication for the back-end only, or both front-end and back-end access for even more protection.

Google Authenticator

Google Authenticatior iOS Application

The Google Authenticator is a kind of token which generates a verification code (consisting of numeric characters only) which must be filled out as the second factor after the username/password screen. This authentication method uses timestamps to generate the verification code, which means that the password will work for a limited time period so you’ll need to be quick getting the code copied into the appropriate field. With Google Authenticator there is no one-time password, it’s generated in a loop because the time is used to verify the password on the server side. What is really convenient with Google Authenticator method is the fact that the application is available for multiple platforms and even as a browser extension which makes it easy to copy the generated code to the clipboard, so you can just CTRL/CMD+V the code into the extra field without hassle.


Yubikey device

Yubikey is a small hardware device which can generate a one-time code, which must be entered as the second authentication step. Naturally there’s an extra cost compared to the Google Authenticator since you’ll have to purchase the required device, but this device may be used for multiple purposes beyond Joomla access, and it’s more secure than a phone application which is subject to all the vulnerabilities inherent in the phone OS. Yubikey offers multiple keys but for Joomla! even the cheapest one will be sufficient. Yubikey is similar to a slim pendrive with a touch button at the top. Your system will actually detect it as a keyboard device, and it technically is a keyboard, just one with only one button. Touching this button will immediately paste (wherever your cursor is placed) a long hash string and press enter; really convenient as well as secure because in Joomla you don’t need to click on the ‘login’ button – you fill username + password and touch Yubikey’s button – so easy!

Where can I turn on two-factor authentication?

First of all, all authentication plugins have to be enabled so first pay a visit to your back-end main menu, click on Extensions ➝ Plugins to open the plugin list, and then filter them by the authentication type. Make sure that all of them are active, and then head to User settings. In the last tab you will find extra security configuration, and you can specify which method you want to use. Once selected it’ll be necessary to confirm these settings by filling a one-time password from the Authenticator or Yubikey depending on which method you decided to pick. There is also a fallback scenario – after configuration Joomla! will show you emergency passwords which you should save in a safe place, so you can use them when you don’t have access to your second-factor device.

It’s easy when you know how, and the extra security is something worth taking advantage of if you can, especially with targeted hacking attempts on websites becoming more common. As always, we hope this article has proved helpful in getting you started with two-factor authentication, and if you’ve got any extra tips why not let us know in the comments!

This article was first published August 24th, 2015