Two Factor Authentication

From Joomla! Documentation

Other languages:
Bahasa Indonesia • ‎Deutsch • ‎English • ‎Nederlands • ‎español • ‎français • ‎中文(台灣)‎
≥ 3.2
Two-Factor Authentication

Joomla! was the first major CMS to implement Two-Factor Authentication. This adds a single-use code received on your smartphone or a Yubikey to your existing passwords to make your site extra hacker-proof.

Traditionally, when you want to log in to a website, you have to provide your username and your password in order to identify yourself to the system. The biggest problem with this approach is your username and password can be stolen or guessed. For example, if your computer is infested with malware or you try to access your site from an untrusted network, such as a public WiFi hotspot, it is possible someone could intercept your username and password. This means they can log into your site as you. Because your username and password is compromised, your site can now be hacked.

In order to prevent that, Joomla! 3.2.0 and later versions, come with a built-in Two-Factor Authentication system that secures your site login with a secondary, single use secret code. This is called Two-Factor Authentication or shortened to 2FA.

Enable Two-Factor Authentication[edit]

The very first time you’re installing Joomla! 3.2 or higher, and access your backend, you’ll see a notice about post-installation messages.


Click on the Review Messages button, you’ll see a screen which indicates that Two-Factor Authentication is Available. Click on the Enable Two-Factor Authentication button.


To set up the Two-Factor Authentication, go to the User Manager, edit a User and go to the Two-Factor Authentication Tab:


If the Two-Factor Authentication Tab does not appear, it is possible that the associated plugin is not enabled. In that case go to the Plugin Manager and find the Two Factor plugins. There are normally two - one for Google Authenticator and the other for Yubikey. Enable those that you intend to use. Then return to the User Manager and try again.

Authentication Methods[edit]

Google Authenticator[edit]

Google Authenticator is an application for smartphones and desktops created by Google which allows you to generate a six digit security password which changes every 30 seconds. In order to log in to your site, you’ll need to use your username, your password and the six digit security code which changes every thirty seconds.

You can enable Two-Factor Authentication for the Frontend, the Backend or for Both. This can be set up in the plug-in Two-Factor Authentication – Google Authenticator.

This provides extra protection against hackers trying to log in to your account. Even if they were able to get hold of your credentials they have a maximum 30s to hack your site. This is usually not practical for hackers. In this way, the Two-Factor Authentication prevents your site against unauthorized access.

Setting up the Two-Factor Authentication with Google Authenticator is actually really easy.

Step 1 – Get Google Authenticator[edit]

Download and Install Google Authenticator on your smartphone or desktop.


Step 2 - Set up[edit]

You can see a QR Code to scan with a mobile phone with the application of Google Authenticator installed.


Step 3 - Activate Two-Factor Authentication[edit]

Go to the Activate Two-Factor Authenticator field and enter the six digit security code you can see on the screen of your smartphone device. Then click on Save & Close.


Now, your site access is protected by Two-Factor Authentication. Log out from your backend, you’ll see that instead of asking for the username and password only, Joomla! is asking for a secret key. The Secret Key is the six digit password you can see on your Google Authenticator screen.


If you don’t enter the secret code or a random one, you won’t be able to login. This is what will happen to a hacker who tries to access your backend, since they don’t have the correct secret key.


This feature allows you to use a Yubikey secure hardware token for Two-Factor Authentication. In addition to your username and password you will also need to insert your Yubikey into your computer's USB port, click inside the Secret Key area of the site's login area and touch Yubikey's gold disk. If you have an NFC-equipped Android smartphone you can just approach a compatible Yubikey token (Yubikey Neo) to the NFC reader to copy the secret code to the device's clipboard. The secret code generated by your Yubikey is unique to your device and changes constantly. This provides extra protection against hackers logging in to your account even if they were able to get hold of your password.

You can enable Two-Factor Authentication for the Frontend, the Backend or for Both. This can be set up in the plug-in Two-Factor Authentication – Yubikey.


See Also[edit]


If you are trying to save your two-factor settings and you see an error about invalid password or username, please refer to https://forum.joomla.org/viewtopic.php?f=708&t=981565. It is just necessary to remove the pre-populated password in your user profile form, and password not required unless you are changing it while editing your profile to set up the two-factor authentication.


  • Nicholas Dionysopoulos
  • Andrew Murray