TYPO3 v11 Feature Highlight

Multi Factor Authentication

In a new series of posts about TYPO3 v11 Feature Highlights, this time the in version 11.1 introduced feature called Multi Factor Authentication. What is Multi Factor Authentication and why should I use it? And of course, I will show you how to use it within TYPO3.

What is Multi Factor Authentication?

When we want to login to an application, we are kind of used to supply an username and password to identify ourselves. If Multi Factor Authentication is supported in your application, you need multiple factors (pieces of evidence) to authenticate. Besides something you know, you also might use something you own or something that defines you. Let me explain.

Something you know This is an easy one and the most common one. A username and password combination is something you know.
Something you own The most common thing you can own to use with Multi Factor Authentication is a security token. This can be a fysical device, but it can also be a piece of software on your mobile phone.
Something that defines you This might be a bit harder to grasp, but think about biometric information. So for example your fingerprint or a scan of your eye iris.

So if you want to login to an application that have Multi Factor Authentication support, you can use two or more of those factors to authenticate yourselves. Which options are available is up to the application itself.

Why should I use Multi Factor Authentication?

Let's be honest, most of us reuses passwords or have passwords that might be a bit easy to "hack". Of course more and more people are using password managers and know that you should not reuse your passwords, but we are by far not at the point that everybody has passwords that are hard enough that it takes ages to "guess" the password. What happens if a "hacker" has your password? Let's assume you are an editor of typo3.org and your password is hacked. That person gets access to spread disinformation about the product or for example create links and redirects to wordpress.org. 

To be more secure, you should have multiple layers of security. If you have for example MFA enabled with password and a security token, it will make it way harder for bad people to login to the application with your account. Besides that the person needs your password, it also needs to have access to your security token device.

So if you want to be secure, enable Multi Factor Authentication whenever it is possible.

Multi Factor Authentication in TYPO3

Thanks to Oliver Bartsch and lots of other people, we have the possibility to use Multi Factor Authentication out-of-the-box in TYPO3 v11.1 and newer versions. Before you had to rely on some 3rd party extensions, but now the core is prepared to have MFA in a secure way. A complete introduction to this feature can be found in the changelog of TYPO3 v11.1, but in this post I will show you the possibilities and how easy it is to setup Multi Factor Authentication for your user.

Factors shipped with TYPO3 v11

With this feature also two additional ways of authentication are shipped. We call them MFA providers. Besides those two MFA providers that are shipped with TYPO3, you can of course create your own providers. You can find more information about creating your own providers in the documentation. Please be aware that the API might change until the release of TYPO3 v11LTS. 

The two MFA providers shipped by core are Time-based one-time passwords (TOTP) and recovery codes. The recovery codes provider can only be uses as a fallback of other MFA providers so if you do not install additional MFA providers, you always have to enable the Time-based one-time password provider. This provider gives you the possibility to use an Authenticator Application like Google Authenticator, Microsoft Authenticator or 1Password.

In the next steps I will show you how to setup TOTP with your account in TYPO3 and how to login after enabling this option.

Enabling MFA for your TYPO3 backend account

To enable MFA for your TYPO3 backend account you just have to follow some simple steps:

  1. Login to the backend of TYPO3
  2. Go to the User Settings
  3. On the tab Account security you will find the option to setup Multi Factor Authentication
  4. Click on the green button "Setup multi-factor authentication"
  5. As said before, you need to setup Time-based one-time passwords before you can setup the recovery codes option. So click on the button "Setup" for Time-based one-time passwords.
  6. Now take your mobile phone and choose the Authenticator app of your choice. In my case, I use the Google Authenticator app. If you do not have such an app already, search in your app store for one of those applications.
  7. Add a new website and use the scanner of the Authenticator app to scan the QR code as shown in step 1b on your screen.
  8. Your TYPO3 backend will now be added to your list of secured applications. The code that is generated should be entered in step 3 in your screen. Optionally you can also give this provider a name like for example Google Authenticator.
  9. Make sure to save the settings before the code is timed out in your Authenticator app
  10. That's it!

You see it is quite easy to setup MFA for your user. Now let's try to login.

Login to the backend of TYPO3 with MFA enabled

So after you have setup your Time-based one-time password it is time to logout and login again to see if it is working.

  1. Logout in the backend of TYPO3
  2. Enter your username and password
  3. Open your Authenticator app on your mobile phone
  4. Enter the code shown in the field in the TYPO3 backend login
  5. Click on verify
  6. Your are now logged in

You see, this is quite easy but now you are way more secure. You are now protected by a password and a security token. It will be a lot harder now for people to get access to your account without you know it.


Besides the providers shipped by core, there are already several 3rd party MFA providers available for TYPO3. Some examples of those providers are “mfa_yubikey” (by Torben Hansen), “mfa_hotp” (by Oliver Bartsch) and “mfa_webauthn” (by Benjamin Franzke). This will give you even more possibilities for the additional ways to authenticate.

I think this feature makes us a lot safer and for sure we should tell this to all our users to use this. Make the TYPO3-world a bit safer by enabling Multi Factor Authentication!

Get in touch!

Do you have a question? Do you want to work together? Just send me a message and I will get in touch as soon as possible.

Send a message