Two-factor authentication

Also known as two step-authentication or two-step verification, two-factor authentication is an additional security option for online accounts to help keep them safe.

Much like drawing cash from an ATM has two security measures; you need the card AND the code, two-step authentication adds an additional layer of protection to your online accounts.

On top of your password, two-step authentication requires a special key, generated by you when you log in. Special key codes are generated by portable little devices (like they use for online banking) or even with a smartphone app (like games producer Blizzard).

Since the arrival of Joomla 3.2 you can use this security trick without needing any additional software or third party add-on, the two-factor authentication is built in to the core Joomla.

Here how works

After install Joomla 3.2, go to Joomla back end log in page and you can see a new secret key field right below username and password fields. At this moment, this new field will not do anything, just leave it empty and log in with your username and password.

Go to plugins, select the "twofactorouth" for the type selector and be surte that the two plugins delivered with Joomla, the Google authenticator and the YubiKey are both published.

If you want to use the YubiKey plugin here is what you need to do:

  1. Click on Users, User Manager from the top menu.

  2. Click on a username.

  3. Find the Two Factor Authentication tab and click on it.

  4. In the Authentication method drop-down select YubiKey.

  5. Read the instructions on the page.

    You have to click inside the Security Code text box, insert the YubiKey in a USB port on your computer, wait for the LED to light steady green and touch the gold button. Now click the Save button.

  6. When the page reloads you should no longer see the Security Code text box. Instead, you should see an area called Your YubiKey is already linked to your user account with some text below it, explaining that your YubiKey is linked to your user account.

  7. Print out the One time emergency passwords and store them to a secure location (e.g. a safe box, your wallet, ...). If you lose your YubiKey you will need to use one of those codes instead of your YubiKey's code to log in to your site and reset the two factor authentication.

  8. Click on Save & Close

If you want to use Google Authenticator

Steps 1-3 are identical as for YubiKey

  1. In the Authentication method drop-down select Google Authenticator

  2. Read the instructions on the page and follow steps 2. and 3. described there

  3. Print out the One time emergency passwords and store them to a secure location (e.g. a safe box, your wallet, ...). If you do not have access to your two factor authentication device you can use any of the following passwords instead of a regular security code. Each one of these emergency passwords is immediately destroyed upon use. We recommend printing these passwords out and keeping the printout in a safe and accessible location, e.g. your wallet or a safety deposit box.

  4. Click on Save & Close

And that's all. simpler, that you might tough.