Planned Two Factor Authentication for Client's ID

[pk3]

Please add MFA to CE login, for those wanting extra security. Admin accounts especially, maybe have an option to force this for any support/staff who might have admin access so their accounts don't get used to terminate/remove accounts by unwanted and unauthorized users.

Thanks

 

[srsakib]

Hi,
Nowaday, the most popular security feature in every digital platform is the Two Factor Authentication. The work is simple! Just need one time secured code before trying to login own account. The system will generate random code and send it to the user's (who will enable this feature for his/her account) email address or phone number. Maybe sometimes, more than one security codes can be ganarated randomly and reserved for one time use.

This feature can help to prevent the access of account from unwanted person in the Internet world even after exposing the account's password.

So, please consider this feature to release in future update. Thanks for your dedicated support.

 

[hadi]

I recommend Google Authenticator and SMS verification.

 

[denellum]

Would love to know when this is getting released. Google 2FA would be amazing, and if we could require it for admins or certain roles.

 

[shanehicks]

I recommend Google Authenticator and SMS verification.

I feel like the SMS verification would require a direct connection to either a third party SMS API which would increase your operational cost or CE would have to integrate a centralized SMS system and would probably be charged to us a "premium" plugin.

 

[4yw]

SMS is hackable, and messages get delayed. It's really not worth the effort and extra cost, being only marginally better, with lots of added friction. 2FA code via email is almost as good but also not really worth the effort. Google Authenticator implementation allows password apps like 1Password, Bitwarden, LastPass, etc. to also work. This is a MUST, especially for admin login. Access to all client servers and domains via a login without 2FA is irresponsible in today's environment. Allow for generation of 10 or so backup codes at a time, many users can get by with only backup codes, and these are way more secure than SMS or email.

 

[tombii]

This is a must these days, please add support for this. Can't believe client and admin login is not secured yet, with EPP codes available for domain hi-jacking etc.
TOTP is an open standard with lots of client side support such as Google Authenticator, Microsoft Authenticator, Authy etc.

 

[ceopx]

This should be made a No.1 priority. LastPass Auth / Google Auth TOTP wouldn't be that difficult to integrate.

For the time being, for the admin side, you can use CloudFlare Access (DNS Multi-Factor) to protect your sites.

 

[almutairi]

no updates ?

 

[TTJJ20]

This should really be implemented by now.. I'm unsure why it hasn't be.

 

[ceopx]

We got around this using Joomla's MFA and CE's Remote login script. We made it so Joomla is the point of sign-up and login and transmitted and created an account in CE using the API. Also another option is to use Cloudflare Access and add users' email addresses to the policy, which is what we use to protect the administrator account.

 

[TTJJ20]

We got around this using Joomla's MFA and CE's Remote login script. We made it so Joomla is the point of sign-up and login and transmitted and created an account in CE using the API. Also another option is to use Cloudflare Access and add users' email addresses to the policy, which is what we use to protect the administrator account.

That is actually a pretty impressive workaround haha. Disappointing we have to add another layer of maintenance but if that is what it comes down to I guess it is necessary.

 

[ighazali]

+1

 

[satsuke]

Need 2FA for the admin account, thanks

 

[ighazali]

I am using cloudflare Zero Trust to protect my admin URL . But my clients are still vulnerable without 2FA.