In a new series of posts about TYPO3 v11 Feature Highlights, this time the in version 11.1 introduced feature called Multi Factor Authentication. What is Multi Factor Authentication and why should I use it? And of course, I will show you how to use it within TYPO3.
When we want to login to an application, we are kind of used to supply an username and password to identify ourselves. If Multi Factor Authentication is supported in your application, you need multiple factors (pieces of evidence) to authenticate. Besides something you know, you also might use something you own or something that defines you. Let me explain.
|Something you know||This is an easy one and the most common one. A username and password combination is something you know. |
|Something you own||The most common thing you can own to use with Multi Factor Authentication is a security token. This can be a fysical device, but it can also be a piece of software on your mobile phone. |
|Something that defines you||This might be a bit harder to grasp, but think about biometric information. So for example your fingerprint or a scan of your eye iris. |
So if you want to login to an application that have Multi Factor Authentication support, you can use two or more of those factors to authenticate yourselves. Which options are available is up to the application itself.
Let's be honest, most of us reuses passwords or have passwords that might be a bit easy to "hack". Of course more and more people are using password managers and know that you should not reuse your passwords, but we are by far not at the point that everybody has passwords that are hard enough that it takes ages to "guess" the password. What happens if a "hacker" has your password? Let's assume you are an editor of typo3.org and your password is hacked. That person gets access to spread disinformation about the product or for example create links and redirects to wordpress.org.
To be more secure, you should have multiple layers of security. If you have for example MFA enabled with password and a security token, it will make it way harder for bad people to login to the application with your account. Besides that the person needs your password, it also needs to have access to your security token device.
So if you want to be secure, enable Multi Factor Authentication whenever it is possible.
Thanks to Oliver Bartsch and lots of other people, we have the possibility to use Multi Factor Authentication out-of-the-box in TYPO3 v11.1 and newer versions. Before you had to rely on some 3rd party extensions, but now the core is prepared to have MFA in a secure way. A complete introduction to this feature can be found in the changelog of TYPO3 v11.1, but in this post I will show you the possibilities and how easy it is to setup Multi Factor Authentication for your user.
With this feature also two additional ways of authentication are shipped. We call them MFA providers. Besides those two MFA providers that are shipped with TYPO3, you can of course create your own providers. You can find more information about creating your own providers in the documentation. Please be aware that the API might change until the release of TYPO3 v11LTS.
The two MFA providers shipped by core are Time-based one-time passwords (TOTP) and recovery codes. The recovery codes provider can only be uses as a fallback of other MFA providers so if you do not install additional MFA providers, you always have to enable the Time-based one-time password provider. This provider gives you the possibility to use an Authenticator Application like Google Authenticator, Microsoft Authenticator or 1Password.
In the next steps I will show you how to setup TOTP with your account in TYPO3 and how to login after enabling this option.
To enable MFA for your TYPO3 backend account you just have to follow some simple steps:
You see it is quite easy to setup MFA for your user. Now let's try to login.
So after you have setup your Time-based one-time password it is time to logout and login again to see if it is working.
You see, this is quite easy but now you are way more secure. You are now protected by a password and a security token. It will be a lot harder now for people to get access to your account without you know it.
Besides the providers shipped by core, there are already several 3rd party MFA providers available for TYPO3. Some examples of those providers are “mfa_yubikey” (by Torben Hansen), “mfa_hotp” (by Oliver Bartsch) and “mfa_webauthn” (by Benjamin Franzke). This will give you even more possibilities for the additional ways to authenticate.
I think this feature makes us a lot safer and for sure we should tell this to all our users to use this. Make the TYPO3-world a bit safer by enabling Multi Factor Authentication!
Do you have a question? Do you want to work together? Just send me a message and I will get in touch as soon as possible.