Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Joomla Two Factor Authentication

791 views

Published on

This presentation is about the enabling and configuration of two factor authentication within the Joomla CMS. It starts with some theoretical background on why you need two factor authentication (2FA) and then focuses on the enabling of the Google Authenticator and Yubikey plugins in Joomla for enabling and configuring the 2FA. It also shows how to set it up on a per user basis on the front end as well as on the back end of your site.

This presentation is the English translation of the presentation I've done for JUG Vlaanderen at 15 Nov 2014 (original presentation in Dutch also available).

Joomla, Google Authenticator and Yubikey are trademarks of their respective owners.

Published in: Software
  • Be the first to comment

Joomla Two Factor Authentication

  1. 1. Joomla 2 Factor Authentication JUG Vlaanderen - 15/11/2014
  2. 2. Agenda ● What is 2 Factor Authentication ● Prerequisites ● Enable 2FA in Joomla ● Tips & Trics
  3. 3. What is 2 Factor Authentication
  4. 4. What is 2 Factor Authentication ● You know something ● You have something ● BOTH are necessary to be ABLE to log in ○ Available on the same place at the same moment ○ Security level largely increased
  5. 5. What is 2 Factor Authentication ● You know something ○ Username ○ Password or another secret which you have to enter into the system every time you want to log in
  6. 6. What is 2 Factor Authentication ● You know something ○ Threats ■ Easy to guess username ● admin, TheBoss, JoomlaAdmin ■ Password known by “unauthorized” people ● password is too simple, easy to guess ○ password, admin, secret, letmein, iamtheboss ● sloppy handling of passwords ○ say your password aloud when entering it in the system ● hacking ○ dictionary attack, man in the middle
  7. 7. What is 2 Factor Authentication ● You have something - based on Shared Secret ○ Token - key - hardware ■ Code Generator ● Google Authenticator / WinAuth ● QR code or character-digitcode ● Generates new code every 30 seconds ■ Hardware key ● Yubikey ● Pure hardware ● Key itself necessary for each log in
  8. 8. What is 2 Factor Authentication ● You have something - based on Shared Secret ○ Threats ■ You lose your key, token or login device ■ Device used for logging in and for code generation is the same ● Major problem when device is stolen
  9. 9. Prerequisites
  10. 10. Prerequisites ● Setup of Shared Secret system ○ Hardware key (Windows, Linux, Android (NFC)) ■ Yubikey = 25 USD/key - 50 USD/key (Neo) ■ USB plugin
  11. 11. Prerequisites ● Setup of Shared Secret system ○ “Code generator” ■ Google Authenticator (Android/iOS) ● Available in Google Play Store ● Also available in iTunes ● Free - registration @ Google necessary ● Scan QR code
  12. 12. Voorafgaandelijke eisen ● Setup of Shared Secret system ○ “Code generator” ■ WinAuth (Windows application) ● www.winauth.com ● Copy character and digitcode
  13. 13. Enable 2FA in Joomla
  14. 14. Enable 2FA in Joomla 2 steps ● Enable plugin ● Activate per user
  15. 15. Enable 2FA in Joomla Step 1 - enable plugin ● Enable plugin(s) in plugin manager
  16. 16. Enable 2FA in Joomla Step 1 - enable plugin ● Configure for front-end & back-end ○ For every plugin seperately - default setting
  17. 17. Enable 2FA in Joomla Step 2 - activate per user ● Front End (Yubikey example)
  18. 18. Enable 2FA in Joomla Step 2 - activate per user ● Front End (Yubikey example)
  19. 19. Enable 2FA in Joomla Step 2 - activate per user ● Front End (Yubikey example)
  20. 20. Enable 2FA in Joomla Step 2 - activate per user ● Back End (Google Authenticator example)
  21. 21. Enable 2FA in Joomla Step 2 - activate per user ● Back End (Google Authenticator example)
  22. 22. Enable 2FA in Joomla Step 2 - activate per user ● Back End (Google Authenticator example)
  23. 23. Enable 2FA in Joomla ● Not possible to use both Google Authenticator AND Yubikey for one and the same user ● It is however possible to have a number of users using Google Authenticator AND a number of users using Yubikey as 2FA method
  24. 24. Enable 2FA in Joomla ● New login screen ○ Secret key for Google Authenticator AND Yubikey
  25. 25. Tips & Trics
  26. 26. Tips & Trics ● While you are in a “password” environment ○ Use https! ● Take a site backup before you activate 2FA
  27. 27. Tips & Trics ● ALWAYS make sure you have a couple of 1 time emergency passwords ○ Once you have used them, they are not available for a second try ● Install your password generation tool on at least 2 different devices ○ Crash/loss/theft of your one and only generation device locks you out!
  28. 28. Tips & Trics ● 2FA is activated but the secret-key field does’t appear ○ Check the login component ○ Check the template ■ Some of these can’t handle 2FA
  29. 29. Tips & Trics ● If you use your secret but you’re lucky to be only a registered user ○ Administrator can disable 2FA for your profile ● Be aware: if you are the administrator … ○ You’re on your own
  30. 30. Thank you!
  31. 31. https://www.edoozeh.com +EdoozehWebSites @Edoozeh /edoozeh /user/EdoozehWebSites

×