How to enable Two-factor Authentication (2FA) plugins in Joomla 4. Change global confguration settings to enforce MFA for Administrators and automatically enroll new users.
System - Manage - Plugins
Search for "factor" to list all the Multi-factor Authentication plugins
There is a Joomla MFA plugin for each type of authenticator. You can disable the plugin for any authentication methods that you don't want to use.
These Two-factor Authentication (2FA) methods are enabled by default in Joomla 4
| Verification Code | Use a Time-based One-time Password (TOTP) generated by an authenticator app such as Google Authenticator or your password manager |
| YubiKey | Use Yubikey secure hardware tokens |
| Web Authentication | Web Authentication (WebAuthn) passwordless login using a software or hardware authenticator (passkey) |
| Authentication Code by Email | 2FA using an authentication code sent by email |
We are disabling 2FA using authentication code by email as this is the least secure method available. Using an authenticator mobile app is also quicker and easier than receiving a 2FA code by email.
Select Authentication Code by Email - Disable
You will need to enable user registration in the Joomla global configuration if you want standard Joomla users to register an account on the website and setup 2FA.
Users - User Options
Allow User Registration: Yes
Save & Close
Change the following settings to enforce 2FA for Administrators and enable onboarding of new users
System - Global Configuration
Users - Multi-factor Authentication
Enforce Multi-factor Authentication: select Manager and Administrator user groups
Onboard new users: Yes
Save & Close
Here are some screenshots showing the user experience for both Administrator and standard Joomla users
Administrator accounts will be forced to set up 2FA at logon
Non admin Joomla users will get the option to skip MFA setup by clicking "Dont show this again"
Joomla Super Users can edit their MFA settings when logged into the Joomla website backend.
User Menu - Edit Account
To allow standard Joomla users to access their user profile settings and change MFA options, you will need to create a menu item for user profile settings.
Menus - Main Menu - New
Menu Title: User Profile
Menu Item Type: Select - Edit User Profile
Save & Close
The user profile menu now shows on the website frontend. After logging on, users can open their user profile and change their MFA settings.
Joomla super users can temporarily disable MFA for users (including other super users)
Users - Manage - select user
Multi-factor Authentication - Turn Off
Save & Close
Steps to reset 2FA for a Joomla user account:
Users - Manage - select user
Account details
Require password reset: Yes
Save & Close
The user will need to change their password when they next logon and they will also get the option to re-setup MFA
Reference:
by Author
Joomla! Documentation - WebAuthn Passwordless Login
https://docs.joomla.org/WebAuthn_Passwordless_Login
Comments