Online security, and in particular how to create strong passwords, has been discussed a lot lately. Many users create weak passwords in their systems, which is one factor in letting hackers in. As an added security measure, online service providers offer two-factor authentication.
What this means is that you have a username, a password and a one-time password that is generated by a gadget you control. This can be a dedicated gadget (like the ones many banks issue) or it can be an app on your smartphone (like Google Authenticator). These solutions normally give you a 6-digit one-time code that you can enter into the system.
There are also USB solutions that let you put the device into the computer, click a button and the device will enter a strong one-time password into the appropriate field on the computer. One of the larger providers of these USB devices are Yubico, with their USB stick Yubikey.
The Yubikey can be used with popular services like LastPass, to add an extra security layer onto your login. Now, we can have the same solution in Joomla.
You can order a Yubikey from Yubico for US$25 - I did and received on in just under a week. It was sent in a normal letter from the company and I could start using it immediately.
Setting up the Yubikey
The Yubikey can be used without any further setup, but you might want to test it on the Yubikey page first. You can also download the Yubikey personalization tool to further configure the device. The key has two configurations avaliable. One is already set up, the other one can be changed with the tool. You can find more about this on the Yubico website. As mentioned, you don't need to do any setup to start using the Yubikey with Joomla.
Two-factor authentication in Joomla 3.2
Joomla 3.2 adds two plugins for using two-factor authentication to your site: Yubikey and Google Authenticator.
To use these plugins, you need to activate them in the Joomla plugin manager. Activate only the ones you plan to use.
I will show you how to set up the Yubikey authenticator plugin. After you have activated the Yubikey plugin, click the plugin name to edit the settings.
On the settings page, you can decide if you want to use the two-factor authentication on the front-end, the back-end or both. What you decide on depends on how you have set up your site and who uses it. If you have some users with content editing access from the front-end only, it might be overkill to have two-factor authentication on the frontend. It might be better to limit the use to those users who have access to the back-end of the site and more vital settings. This, however, depends on your own setup and security considerations.
Save the settings.
Set up users
Now, you need to go into each of the users to set up their Yubikey authentication. You can activate or deactivate the authentication on each user individually. They will need to have one Yubikey each.
To activate the Yubikey, follow the instructions on-screen. Then, save the configuration.
After you have saved the configuration with the Yubikey, you will see a series of one-time passwords at the bottom of the screen. Make sure you save these in a safe place, in case you lose your Yubikey. Print them out, save them in a secure application etc.
Now, you can log in to the Joomla administrator (or site) with your username, password and secret key from the Yubikey.
To enter the one-time password (OTP) from the Yubikey, set the cursor in the secret key field and then press the Yubikey hardware button. The OTP will be entered and you will be logged in.