Two Factor Authentication or 2FA

joomla support cheshire manchester merseyside north west ukThe Joomla! CMS is equipped with a built-in two factor authentication or 2FA system.

Once activated this system adds an extra layer of security when users with special permissions sign into the dashboard.

It can also be used to add the same extra layer when users sign in the front end.

Before we explore 2FA in more detail, it is worthwhile answering the following two questions: 

  1. Which users should 2FA be activated for?
  2. Should you activate 2FA for the Front End?

You can activate for ALL users, regardless of their permissions.

But as only users with Special Permissions can change website content, we recommend limiting its use to these users, namely anyone who is an:

  • Author,
  • Editor,
  • Publisher,
  • Manager,
  • Administrator, or
  • Super User.

Managers, Administrators and Super Users

These are the critical groups.

Super Users because this group can do ANYTHING including deleting the user account of fellow Super Users.

All three because they can each sign into the website Dashboard.

An extra layer of security is appropriate.

Registered Users

This user group cannot sign into the Dashboard, and cannot edit website content after signing into the Front End.

They can only change their own personal details (username, password, email address) after signing in.

Whilst adding an extra layer of security for these users may serve to annoy them, it will not enhance the security of your website or its content.

eCommerce Users

If your website is for the purpose of eCommerce then you may choose to require that visitors who purchase from you first become Registered Users.

In such an instance you may wish to offer increased peace of mind, namely 2FA.

Registration with or without 2FA does however form a barrier to trade and will dissuade some visitors from shopping with you.

For this reason you may decide not to require visitors to register with your website during the checkout process.

Read more: How to manage Users and Permissions.

We recommend NOT doing so.

If you do then ALL users will see an additional field when signing in - see image below.

security plugins two factor login field

Whilst users for whom 2FA has not been activated may ignore this field when signing in, its presence is confusing.

If 2FA is not enabled in the Front End then users with special permissions will still be able to edit website content via the Dashboard, after signing in using 2FA.

Image below shows Dashboard Login Panel when 2FA is activated.

security plugins two factor login field cp

How to implement 2FA

You can either activate the built-in 2FA System plugins:

  1. Google Authenticator - a smartphone app which creates a single-use code to enable you to sign in;
  2. Yubikey - a small device which when plugged into your computer acts produces a single-use code;

or password protect your website's Administrator directory - either by using a WAF 1 or your hosting dashboard 2.

1 Web Application Firewall - for example, Akeeba Admin Tools.

2 Password protection for the Administrator directory 0 for example, cPanel Hosting dashboard.


Whichever method you use may result in YOU as well as the hackers being locked out of your website!

It is important that you know how to get back in if this happens.

Read on!


Contents include:

How to implement 2FA.
The 2FA System Plugins.
Password protection of the Administrator directory.
What to do if you become locked out of your website when using 2FA.

SUBSCRIBERS: Sign in to read full article