Setting Up Two-Factor Authentication in Joomla


One of the better Joomla improvements of the last few years has been two-factor authentication. Everybody is well aware of today’s constant risk of cyber threats, and no website is safe from the hackers and other contemptible individuals that haunt cyberspace. However, enabling two-factor authentication on your Joomla website virtually guarantees that a hacker using a brute force attack cannot obtain your Joomla login details (username and password).

Two Factor Authentication Described

In a nutshell, two-factor authentication acts as a supplementary security layer for your Joomla site. It works by creating a time-limited password that will always be specific to a particular username. Once used, the ‘key’ is discarded. Not having access to this specific key or password means you will be unable to log in to gain access to your site; ergo, a hacker will face the same issue.

How to Enable Two-Factor Authentication in Joomla

Two-factor authentication in Joomla 3.2 does not require any type of Joomla extension to work as it is supported as part of the core of the CMS. It does, however, require a plugin, dependent on the key generator one plans to use to generate his or her key. Yubikey and Google Authenticator are the two main key generators. Installing either of these and then activating them, turns on two-factor authentication for your Joomla installation. You will then have a choice as to whether you require the key generator enabled for the:

  • back-end (admin)
  • front-end
  • or both.

Once this has been done, you should see an additional field on the login screen (named Secret Key).

Configuring the Plugin

Once the plugin has been activated, as described above, it will be time for a little configuration. This is performed via the User Manager. The whole point of this process is to associate the user (you) with a device that only you have access to.

If you used the Google Authenticator plugin, go to User Manager and look for the new two-factor authentication tab. On this tab, from the drop-down menu, choose Google Authenticator. You will then be presented with a detailed list of how to set this up. Set-up is complete once one secret key has been entered into the system.

If you are using the Yubikey plugin, the steps are similar, but first you’ll first have to authenticate the Yubikey plugin by specifying your Yubico Web Service API ID and a secret key and saving these settings. Once the plugin has been enabled, the secret key required above will be generated for you, which will allow you to connect to the Yubikey two-factor authentication.

Once this has been done, you will have to disable the standard Joomla authentication plugin else the usual Joomla login procedure will still work.

In Conclusion

Protecting ourselves from hackers and all types of cyber threats is an essential staple of today’s online world. Do yourself a favour by doing all you can to stave off all attempts on your website’s security.

Our Recommended Joomla! Web Hosting Provider


Get a 45% Discount by using our link.


A popular Canadian web host which offers a one-click Joomla installation option through the included control panel (cPanel). HostPapa is our recommendation to host a Joomla website.

Leave a Reply

Your email address will not be published. Required fields are marked *