You can help support this website by buying me a coffee!
4 minutes reading time
(890 words)
Configure Multi-factor Authentication (MFA) in Joomla 4
How to enable Two-factor Authentication (2FA) plugins in Joomla 4. Change global confguration settings to enforce MFA for Administrators and automatically enroll new users.
Table of Contents
- Joomla Multi-factor Authentication (MFA) plugins
- Joomla Two-factor Authentication (2FA) methods
- Disable authentication code by email
- Joomla Global Configuration - Allow User Registration
- Joomla Global Configuration - Multi-factor Authentication
- Joomla 2FA user experience
- Edit account MFA settings for Joomla Administrators
- Edit account MFA settings for Joomla Users
- Temporarily disable 2FA for a Joomla user
- Re-register 2FA for a user in Joomla
Joomla Multi-factor Authentication (MFA) plugins
See this guide for the steps to up Joomla 2FA using Google Authenticator
Enable Jooma 2FA using Google Authenticator
Enable Jooma 2FA using Google Authenticator
System - Manage - Plugins
Search for "factor" to list all the Multi-factor Authentication plugins
There is a Joomla MFA plugin for each type of authenticator. You can disable the plugin for any authentication methods that you don't want to use.
Joomla Two-factor Authentication (2FA) methods
These Two-factor Authentication (2FA) methods are enabled by default in Joomla 4
| Verification Code | Use a Time-based One-time Password (TOTP) generated by an authenticator app such as Google Authenticator or your password manager |
| YubiKey | Use Yubikey secure hardware tokens |
| Web Authentication | Web Authentication (WebAuthn) passwordless login using a software or hardware authenticator (passkey) |
| Authentication Code by Email | 2FA using an authentication code sent by email |
Disable authentication code by email
We are disabling 2FA using authentication code by email as this is the least secure method available. Using an authenticator mobile app is also quicker and easier than receiving a 2FA code by email.
If someone's email account has been compromised (without them knowing) an attacker could then request a 2FA login code by email.
Select Authentication Code by Email - Disable
Authentication Code by Email plugin has been disabled
Joomla Global Configuration - Allow User Registration
You will need to enable user registration in the Joomla global configuration if you want standard Joomla users to register an account on the website and setup 2FA.
If you only want to enforce MFA for Joomla administrators, then you can skip this step.
Users - User Options
Allow User Registration: Yes
Save & Close
Joomla Global Configuration - Multi-factor Authentication
Change the following settings to enforce 2FA for Administrators and enable onboarding of new users
System - Global Configuration
Users - Multi-factor Authentication
Enforce Multi-factor Authentication: select Manager and Administrator user groups
Onboard new users: Yes
Save & Close
Joomla 2FA user experience
Here are some screenshots showing the user experience for both Administrator and standard Joomla users
Administrator accounts will be forced to set up 2FA at logon
Non admin Joomla users will get the option to skip MFA setup by clicking "Dont show this again"
Edit account MFA settings for Joomla Administrators
Joomla Super Users can edit their MFA settings when logged into the Joomla website backend.
User Menu - Edit Account
Edit account MFA settings for Joomla Users
To allow standard Joomla users to access their user profile settings and change MFA options, you will need to create a menu item for user profile settings.
Menus - Main Menu - New
Menu Title: User Profile
Menu Item Type: Select - Edit User Profile
Save & Close
The user profile menu now shows on the website frontend. After logging on, users can open their user profile and change their MFA settings.
Temporarily disable 2FA for a Joomla user
Joomla super users can temporarily disable MFA for users (including other super users)
Users - Manage - select user
Administrators can only disable 2FA, they can't add or remove authenticators on behalf of users. Users have to login and do this themselves.
Multi-factor Authentication - Turn Off
Save & Close
Re-register 2FA for a user in Joomla
To reset 2FA for a user account and allow them to re-register an authentication method, you will need to disable 2FA and "Require password reset" for the user in the Joomla administrator backend.
Steps to reset 2FA for a Joomla user account:
- Set a temporary password
- Turn off MFA
- Require password reset
Users - Manage - select user
Account details
Require password reset: Yes
Save & Close
Password reset required
The user will need to change their password when they next logon and they will also get the option to re-setup MFA
Reference:
by Author
Joomla! Documentation - WebAuthn Passwordless Login
https://docs.joomla.org/WebAuthn_Passwordless_Login
Comments