How to Enable, Disable and Use Joomla 2 Factor Authentication

Two factor authentication is one of those Joomla! 3.2 improvements which can and will improve security. This is because by enabling two factor authentication, it is practically impossible for a hacker to use a brute-force attack to guess the details of your Joomla! username and password.

This is particulary important for the administrator part of the website, which ensures that attacks which try to guess your password can never be successful. Incidentally, if you want to strongly secure your Joomla website, whilst making it faster, you should read this.

Joomla two factor authentication


What is Joomla Two Factor Authentication?

Joomla Two factor authentication is an additional layer of security, which creates a temporary (time-based) password which is unique to a specific username and your website. The key gets discarded (and becomes invalid after literally a few seconds). If you don't have access to this temporary password or secret key, you won't be able to login.

If you want to make your website more secure, in terms of login credentials, 2FA is the way to go.

Disabling Two-factor Authentication or the Joomla Secret Key

If you've already activated two-factor authentication and want to remove it - first of all, you'll need to make sure you have access to the administration (i.e. using a Secret key). Once you have logged in, you only need to disable the two-factor authentication plugin from Plugin Manager > (search for) Two Factor > Disable the Two-factor Authentication plugin which is enabled.

That should be it!


If you DO NOT have access to the Administrator / Administration panel of the website because you have enabled 2FA and you know can't login, you'll need to disable it via PHPMyAdmin 

  • Log in to PHPmyadmin
  • Find the table ending in  '_extensions' (the first few digits/letters are vary by installation)
  • Find the plugin named plg_twofactorauth_totp and change its 'enabled' status from '1' to '0' and save!

This disables the 2FA plugin and thus gets rid of the login with the secret key!

Disable Joomla Two Factor Authentication Plugin

Enabling Two Factor Authentication for Joomla!

So let's how to enable two factor authentication in Joomla. Please note that this is supported as part of the core and does not require any additional Joomla! extension. The following is the normal administrator login (on the left) and the Joomla administrator login with two factor authentication (on the right). 

Joomla Administrator Login NormalJoomla Administrator With Secret As you can see the secret key is a new field which allows you to enter the temporary key. But where do you actually get the temporary key from? 

The first step you need to do is enable two factor authentication by enabling the plugin from the Plugin Manager (Plugin Manager > Two Factor Authentication - Yubikey or Google Authenticator (depends which key generator you plan to use)). You can select whether you want this to be enabled for

  1. The back-end only (administrator)
  2. The front-end only (front-end)
  3. Both

Once you enable the plugin, you will start seeing the secret key field.

Now you need to configure the user via the User Manager. 

The idea is that now you will need to associate the user with a device which only the specific user has access to. One ubiquitous device which you can use to generate the secret keys is the Google Authenticator. This is a Smartphone App available on the Google Play store or Apple iTunes which is used to generate secret keys to access your Google Account. The Google Authenticator can also double as a secret generator for Joomla too. To set up the Authenticator as your Authentication Method, you need to perform the following steps:  

Setting up Two Factor Authentication with the Google Authenticator Joomla

  • Go to the User Manager, click on the user which you want to setup (e.g. the super administrator user)
  • (After having enabled the Two Factor Authentication plugin as described above), you will find a new "Two Factor Authentication" tab as can be seen below as part of the parameters of the user
  • From the Authentication Method dropdown, choose the Google Authenticator (which is available by default in the Joomla Core installation).
  • Two Factor Authentication With Google AuthenticatorAs soon as you choose the Google Autheticator, you will get detailed steps of how to set this up. If you've used two factor authentication before, you know that this is quite an easy step, which is typically completed by scanning a QR code using the Authenticator app itself (see below)
  • Once you scan the code, the Google Authenticator will start generating codes which are specific to that usernameSetting up the Google Authenticator with a QR Code
  • To complete the setup, you'll need to enter one a correct secret code from the Authenticator after the setup

Activate Two Factor Authentication

Once all of these steps are done, Two Factor Authentication has been enabled for this user. When you get to the login screen, either in the front-end, or in the back-end (according to what you have chosen), you will need to supply the secret code from your Authenticator, otherwise you won't be able to login.

One time passwords - so what happens if you're Android phone is not available and you lose access to the Authenticator? Do you get locked out of your Joomla website? Not if you do the next steps. The setup of Google Authenticator recommends that you create a batch of one-time passwords. These are secret keys, which can be used only once. You should generate these and store them in a safe place, print them and put them in your wallet, and on your desk, so that if you lose access to your phone, you'll be able to use these one-off secret keys to be able to login, until you regain access to the Authenticator.

Let's help you manage your Joomla better


Free Joomla tips ebook button

Setting up Two Factor Authentication with the Joomla YubiKey

If you have access to or have bought a YubiKey for Two Factor authentication, you can also use this with your Joomla website. These are the steps to enable YubiKey two factor authentication with Joomla

  1. Register for Free to get your Yubico Web Service API Id and Secret key (which you will need later on)
  2. Download the YubiKey plugin from the Google Code YubiKey project and the YubiKey Authentication component
  3. Install the authentication plugin via Joomla administration: Extensions > Extension Manager > Upload Package File  
  4. Find the Yubikey authentication plugin from the Plugin Manager > Authentication - Yubikey. You'll need to specify your Yubico Web Service API ID and Secret Key in the plugin settings and save the settings.
  5. Install the Joomla Yubikey Authentication component via the Extension Manager
  6. Access the YubiKey Authentication component and add a new Yubikey user with the component.
  7. Enable the Authentication - Yubikey plugin in the Plugin Manager. Your secret key above is now generated by the YubiKey. You should now be able to connect using YubiKey Two Factor Authentication
  8. You will also need to disable the standard Joomla authentication plugin which is enabled by default when you install Joomla otherwise the normal Joomla login will still work.

Hope that's been helpful, if you like it please share :)

About the Author
David Attard
Author: David AttardWebsite:
David has been working in or around the online / digital industry for the last 18 years. He has vast experience in the software and web design industries using WordPress, Joomla and niches surrounding them. As a digital consultant, his focus is on helping businesses get a competitive advantage using a combination of their website and digital platforms available today.

One more thing... Did you know that people who share useful stuff like this post look AWESOME too? ;-)
Please leave a useful comment with your thoughts, then share this on your Facebook group(s) who would find this useful and let's reap the benefits together. Thank you for sharing and being nice!

Disclosure: This page may contain links to external sites for products which we love and wholeheartedly recommend. If you buy products we suggest, we may earn a referral fee. Such fees do not influence our recommendations and we do not accept payments for positive reviews.


Get Started Now With ShutterstockShutterstock

Best Rated Caching Plugin

Make your website faster 

Step-by-step - free email course, how to make your website load in less than 1 second  

who are we?

CollectiveRay is run by David Attard - working in and around the web design niche for more than 12 years, we provide actionable tips for people who work with and on websites. We also run - a website for drone hobbyists.

David attard


Author(s) Featured On:  Inc Magazine Logo   Sitepoint logo   CSS Tricks logo    webdesignerdepot logo   WPMU DEV logo   and many more ...