An easy security improvement for a Joomla based CMS.
Since Joomla 3.2

Two factor authentication/two-step verification (2FA) provides extra protection against bad people logging in to your account even if they were able to get hold of your password. You can enable it easily in Joomla, which has supported it since release 3.2.0.

2FA secures your site login with a secondary secret code that changes every 30 seconds. You can use a mobile device, a computer or a USB key to generate the code.

Joomla has a page which explains two-factor authentication for Joomla clearly. All you need to do, is enable two factor authentication in Joomla, then visit the User Profile of your Joomla account and turn it on for your account. It is self service for each other user.


  • Either download and install Authy (on macOS, Windows, iOS, Android or Linux, or all of them, it syncs your security keys and codes).
  • Or buy a Yubikey USB security key.

Enable two factor authentication/two-step verification for a site using the Joomla administrator backend

The easiest way to enable two factor authentication/two-step verification in the Joomla administrator backend is to click Review Messages on the notice about post-installation messages. find the section which indicates that Two-Factor Authentication is Available. Click on the Enable Two-Factor Authentication button. If you've hidden these messages you can reset them from the Post Installation Messages component page in the administrator. Of course you can enable the plugins manually as well, look for the Two Factor Authentication - YubiKey and Two Factor Authentication - Google Authenticator plugins and turn them on.

Enable two factor authentication/two-step verification for an individual user in the Joomla back end.

Click on User Manager, edit a User and go to the Two-Factor Authentication Tab.

If the Two-Factor Authentication Tab is not visible, check that plugins are properly enabled.

Step 1 — Find the 'Two Factor Authentication' Tab and, select your authentication method Google Authenticator or Yubikey

Step 2 — For an authenticator app such as Authy, you can scan a QR Code to your mobile phone, or enter the account name and key. For Yubikey just insert the key into a USB port, and touch the gold disk on the key.

Step 3 — Activate Two Factor Authentication by entering the security code displayed in Authy in the security code field in Joomla and pressing save If the code is correct, the Two Factor Authentication feature will be enabled.

Enable two factor authentication/two-step verification for an individual user in the Joomla front end.

If your front end template allows User Profile editing, edit your user profile to enable two factor authentication/two-step verification using the same steps as for the back end.

Additional notes about USB Key or two factor authentication/two-step verification apps

You can use a physical security key from Yubikey or an app such as Google Authenticator or Authy for two factor authentication/two-step verification. These all implement the same Internet Standards for Time-based One-time Password Algorithm (TOTP; specified in RFC 6238) and HMAC-based One-time Password algorithm (HOTP; specified in RFC 4226). Yubikeys and both these apps are proprietary. Google's app used to be open source but mysteriously becampe proprieatary for unspecified reasons.

Web sites and services often just say 'Google Authenticator' in their instructions but all such sites work with Authy. You can read more about that on the Authy blog. Authy is from Twilio, an American cloud communications platform as a service company based in San Francisco, quoted on NYSE. It is available on iOS, Android, macOS, Windows, and Linux. Authy has several major advantages over Google Authenticator and I recommend it.

ezone is not affiliated with or endorsed by The Joomla! Project™ or Open Source Matters. The Joomla!® name and logo is used under a limited license granted by Open Source Matters the trademark holder in the United States and other countries.