4 minutes reading time (890 words)

Configure Multi-factor Authentication (MFA) in Joomla 4

How to enable Two-factor Authentication (2FA) plugins in Joomla 4. Change global confguration settings to enforce MFA for Administrators and automatically enroll new users.

Joomla Multi-factor Authentication (MFA) plugins

System - Manage - Plugins 

Search for "factor" to list all the Multi-factor Authentication plugins

There is a Joomla MFA plugin for each type of authenticator. You can disable the plugin for any authentication methods that you don't want to use.

Joomla Two-factor Authentication (2FA) methods

These Two-factor Authentication (2FA) methods are enabled by default in Joomla 4

Verification Code Use a Time-based One-time Password (TOTP) generated by an authenticator app such as Google Authenticator or your password manager
YubiKey Use Yubikey secure hardware tokens
Web AuthenticationWeb Authentication (WebAuthn) passwordless login using a software or hardware authenticator (passkey)
Authentication Code by Email2FA using an authentication code sent by email

Disable authentication code by email

We are disabling 2FA using authentication code by email as this is the least secure method available. Using an authenticator mobile app is also quicker and easier than receiving a 2FA code by email.

Select Authentication Code by Email - Disable

Joomla Global Configuration - Allow User Registration

You will need to enable user registration in the Joomla global configuration if you want standard Joomla users to register an account on the website and setup 2FA.

Users - User Options
Allow User Registration: Yes

Save & Close

Joomla Global Configuration - Multi-factor Authentication

Change the following settings to enforce 2FA for Administrators and enable onboarding of new users

System - Global Configuration

Users - Multi-factor Authentication

Enforce Multi-factor Authentication: select Manager and Administrator user groups
Onboard new users: Yes 

Save & Close

Joomla 2FA user experience

Here are some screenshots showing the user experience for both Administrator and standard Joomla users

Administrator accounts will be forced to set up 2FA at logon

Non admin Joomla users will get the option to skip MFA setup by clicking "Dont show this again"

Edit account MFA settings for Joomla Administrators

Joomla Super Users can edit their MFA settings when logged into the Joomla website backend.

User Menu - Edit Account

Edit account MFA settings for Joomla Users

To allow standard Joomla users to access their user profile settings and change MFA options, you will need to create a menu item for user profile settings.

Menus - Main Menu - New

Menu Title: User Profile
Menu Item Type: Select - Edit User Profile

Save & Close

The user profile menu now shows on the website frontend. After logging on, users can open their user profile and change their MFA settings.

Temporarily disable 2FA for a Joomla user

Joomla super users can temporarily disable MFA for users (including other super users)

Users - Manage - select user

Multi-factor Authentication - Turn Off 

Save & Close

Re-register 2FA for a user in Joomla

To reset 2FA for a user account and allow them to re-register an authentication method, you will need to disable 2FA and "Require password reset" for the user in the Joomla administrator backend.

Steps to reset 2FA for a Joomla user account:

  1. Set a temporary password
  2. Turn off MFA
  3. Require password reset

Users - Manage - select user
Account details
Require password reset: Yes

Save & Close

The user will need to change their password when they next logon and they will also get the option to re-setup MFA


Joomla! Documentation - WebAuthn Passwordless Login

Related Posts



No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Saturday, 23 September 2023
You can help support this website by buying me a coffee!
Buy Me A Coffee