Since Joomla 4.2 new MFA (replacing 2FA) options have been added which I’ll further discuss in this article.
Joomla 4 already has the WebAuthn option you can use for silent login which I advise everyone to use to prevent brute force attacks against your Joomla login to get the password, or use a very long and random generated complicated password.
For Joomla 3 you can use the excellent Loginguard for 2FA, but after August 2023 Joomla 3 will be end-of-life (EOL), and Loginguard is not actively maintained by it’s developer for good reason. So you should update your Joomla 3 to Joomla 4 website anytime soon!
The developer of Loginguard has donated the Loginguard to Joomla and is now present within Joomla 4, but not enabled out-of-the-box (and also not after upgrade from Joomla 3 to Joomla 4). You have to enable it yourself. There are a few choices form MFA to enable. Log in to your administrator page and go to:
System -> Plugins
If you search in the search box for the word: multi, you can find the plugins I’m talking about. When you have some other Joomla 4 language, you have to search with the translation of the word multi, in Dutch for instance it is: meervoudig. The type of plugin is multifactorauth in I’m guessing any language.
Then you see a couple of choices:
Don’t worry if you see more options than shown above, the most important and safe one’s you’ll have. I you want the other one’s not present in your Joomla 4, you can install Loginguard 7.
The two most important ones are the Verification Code and the YubiKey. With the Verification Code plugin you can use Google Authenticator, Authy or similar to get the random generated codes as an extra authentication. This is the most cost effective MFA option, because all you have to do is install an app on your phone for that (see your phone’s app store). If you have a YubiKey or similar like I have, you can use the Yubikey plugin.
Now you can enable the plugin you need for MFA by clicking the gray round with x. After that you go to:
Users -> Manage
There you’ll see your users and also this addition which if you haven’t enabled MFA yet for your user will be a grey cirkel with x:
Now go ahead and select your user and go to the Multi Factor Authentication tab and complete the steps to enable your MFA choice.
After that you can log out and test your MFA setup by using your Joomla login credentials, after that a seperate screen will follow to supply your MFA code.
Now your MFA setup for Joomla 4.2 is complete and tested. Happy and safe Joomla >4.2 log in!