OSTips – Enabling Two Factor Authentication in Joomla

Enabling Two Factor Authentication in Joomla

Today we’re going to be talking about a very important topic which is two factor authentication inside of Joomla websites.

So we know that over 80% of website breaches come through passwords, but how can we avoid this on our own Joomla website?

Well, we can turn on two-factor authentication.  What that means is that we’ll have a username, a password, and then a randomly generated code produced from something that is on your person physically (ex: cell phone).

Joomla offers two ways to enable two factor authentication:

  1. Google Authenticator running on a mobile device
  2. Yubikeys that are plugged into a USB port on your Mac or PC

Let’s take a look at these options!

“Hi, this OSTips from OSTraining and I’m Robbie Adair.

We’re looking at the backend of our Joomla website.  Go ahead and log in.  As you can tell, we do NOT have two factor authentication enabled, because we would have one more field here for the code if we did. Let’s go ahead and get that set up now.

  • go to extensions / plugins
  • search for Two

Now you should see both of the two factor authentication plugins that are shipped with Joomla:  1) Yubikey, and 2) Google Authenticator

  • enable both plugins
  • click on each of the plugins

Notice: Both of these have a setting that allows you to restrict whether you want the authentication to be on the front-end, back-end, or Both. We’re gonna leave ours on Both.

Once we’ve enabled these two plugins

  • go to Users / Manage
  • open a User
  • click tab called two-factor authentication
  • select Google Authenticator from dropdown
  • open the app on our phone

You can either

  1. type in the key code provided when you add a new site for the Authenticator
  2. scan the QR code, and let the app do the work for you by producing a security code

We are going to scan the QR code.

  • type in the Securty Code generated code from the Google Authenticator App for Step 3

NOTE: The security codes only last for 30 seconds, so if you’re at the end of that time, you might want to give the app a second to refresh, so you have plenty of time to type your code into the textbox.

  • scroll to top of page
  • click Save

Now that I’ve saved the user, scroll down towards the bottom of the page. You’ll see that there’s something that’s very important: One time emergency passwords.

These are very helpful in case you

  1. lose the mobile device that had Google Authenticator on it
  2. do not have access to your Google Authenticator for any other reason

In either case, you will need to use one of these codes,  so I STRONGLY suggest that you copy and paste these passwords somewhere else on your computer.  You might even consider printing them out for your files.  Keep in mind each code is only good for ONE use, so copy them all just in case this happens more than once.

  • save and close this user
  • log out from the site

Now you’ll see we have three fields:

  1. username
  2. password
  3. secret key
  • log in to the site

You will find the Secret Key inside of your Google Authenticator.

  • type it that code to complete the log in process

Suppose we do not have that code.  Let’s log back out and try to log in using just a login and password.  It is going to deny it, obviously, just as it should.

Now let’s take a look at how we set this up using a Yubikey.

  • go to Users / Manage
  • click on a User
  • click on Two Factor Authentification tab
  • switch user to Yubikey in the dropdown
  • plug the physical Yubikey in to your computer
  • place your cursor inside of the Security Code textbox
  • touch the Yubikey with your finger

Once you touch the Yubikey, you’ll see the randomly generated code inserted in the textbox. It’s always a different code. It may look very similar, but it’s always different.

Once we have the security code in, just like we did with the Google Authenticator, we’ll want to copy and paste the emergency codes somewhere handy outside of Joomla.

  • click Save
  • log out, so we can test this
  • type in name and password
  • place cursor in the Secret Key textbox
  • touch the Yubikey with your finger

It will not only enter in the code, but it will click Enter automatically, so you do NOT have to click the login button.

Okay, so that was it pretty easy, right?

  1. enable your plugins
  2. go to the specific user
  3. go to the auhentification tab
  4. select which way they’re going to have to log in with their two factor authentication whether it be Yubikey or Google Authenticator.  Some users may use one and some another and that’s okay.
  5. copy your emergency passwords for future use

That’s all there is to it!  We appreciate you listening in, and don’t forget to subscribe because we’ll have more OS tips coming your way.

This has been OStips from OS Training, and I’m Robbie Adair.”


  • Robbie Adair

    Robbie started her career in corporate training until starting her own custom training and media company almost seventeen years ago. In 2010, she began doing classroom training for OSTraining while running Media A-Team. She is often presenting about various tech topics such as Joomla, Fabrik, Web Development, Social Media, and Augmented Reality. She loves seeing that "ah-ha" moment in peoples eyes in her sessions and workshops. She lives in Houston, Texas, but enjoys all the travel for client work and speaking gigs.

    View all posts
0 0 votes
Article Rating
Notify of

Newest Most Voted
Inline Feedbacks
View all comments
10 months ago

Notice: Both of these have a setting that allows you to restrict whether you want the authentication to be on the front-end, back-end, or Both.

This seems to have changed in Joomla 4, because we can’t find the settings to disable TFA for front-end logins in the Verification Code or Yubikey plugins. Is there a new procedure for doing this?

Rod Martin
10 months ago
Reply to  sohopros
Last edited 10 months ago by imrodmartin
10 months ago
Reply to  imrodmartin

Unfortunately, that article is silent on the topic of selectively disabling MFA on the front-end. I do recall in previous Joomla versions that you were able to enable it on the front-end, back-end, or both, but now it seems like it can only be enable on both. Unless we are missing a setting somewhere.

Rod Martin
10 months ago
Reply to  sohopros

You’re right of course – sorry. I’m pretty sure you’re correct – all or nothing. Kind of a strange thing to remove – but I don’t see a setting anywhere nor did I find anything after searching for a while….

10 months ago
Reply to  imrodmartin

OK, thanks for looking into it. That’s the way it looks to us as well.

Would love your thoughts, please comment.x