Install and configure two-step authentication on a Drupal 8/9 site

Install and configure two-step authentication on a Drupal 8/9 site

Two-factor authentication is a means of identifying a user through two separate pieces of information or identification. For your Drupal site, these two parts are your account password and a one-time password generated using a third-party mobile authenticator. By combining proof of identity – which an unauthorized user is unlikely to possess – two-factor authentication provides a higher level of security for your website users.

The Two-factor Authentication (TFA) module

To configure two-step authentication on a Drupal site, we have the Two-factor Authentication (TFA) module which works as a base module, that is, by itself it does not offer two-step authentication but rather provides a series of interfaces that allow connecting a two-step authentication method with Drupal.

The TFA module can be installed like other Drupal modules by placing the module directory in the Drupal file system (for example, in sites/all/modules)

Two-factor Authentication (TFA) | Drupal.org

Or by using composer (recommended)

composer require drupal/tfa

Very important, make sure you are running Drupal on PHP 7.4 or higher as otherwise it will throw a very strange error that in my case took me several hours to determine the cause.

Once downloaded, enable it on the Drupal modules page.

The Google Authentication login module

As I mentioned earlier, the TFA module only creates interfaces for us that allow other modules to manage the particular two-factor authentication they offer, such as the Google Authenticator login module.

art 1

This module, which works as a complement to the TFA module, allows us to use Google's two-step authentication management tool called Authenticator.

Surely for some users who have Gmail accounts it may seem familiar since it is the same tool they use for two-step authentication for their accounts.

The module can be installed like other Drupal modules by placing the module directory in the Drupal file system (for example, in sites/all/modules)

Google Authenticator login | Drupal.org
Or by using composer (recommended)

composer require drupal/ga_login

Once downloaded, enable it on the Drupal modules page.

The Encrypt and real AES modules

For the configuration we will require an encryption method that allows us to store our key safely in the system, so we need to install the Encrypt module which provides us with an API to perform symmetric and asymmetric encryption.

Real AES on the other hand, is a module that provides an AES encryption method for the Encrypt module using CBC

Both modules can be downloaded from their project pages on drupal.org

Encrypt | Drupal.org

Real AES | Drupal.org

Using composer (recommended)

composer require drupal/encrypt
composer require drupal/real_aes

Encryption key setup

Once we have all the necessary modules downloaded and installed, the first thing we need to do is add a profile, for that we go to Settings -> System -> Encryption Profiles

Or we can also arrive by the following route

/admin/config/system/encryption/profiles/add

Once there, we enter a name for the key, enter a legible and easily identifiable name, for example the name of your site.

In Type Settings select the type as Encryption and in Size 256

art 2

Below we must add the encryption key value, this key must be 256 bits, we can generate it with some tool or you can use an online one like the one I share with you in the following link:

Encryption Key Generator (acte.ltd/utils/randomkeygen)

When generating the key, make sure 256-bit is selected

art 6

The value generated in the text field will be the value to be used in the key value field.

art 5

Setting up Two-Step Authentication

Now we have to configure the two-step authentication that we are going to use.

Go to Users -> Two-Step Verification.

Or to the route /admin/config/people/tfa

Enable it

art 4

In the plugins to use, enable the GA time-based login that corresponds to Google Authenticator and the retrieval code that will help us to generate codes that we can save in case we lose access to Google Authenticator.

art 8

In the Additional settings, in the number of accepted codes enter 2, in the Issuer enter a short name such as “My site” or other, which will allow the user to identify in the mobile application the site to which the code corresponds.

In the encryption profile, select the profile you created in the previous step.

In Skip validation set the value to 3.

art 8

You can leave the following values as default or adjust them as shown in the image

In the final part, you will see some messages that will be sent to the user by email once the configuration process is finished, make sure they are in the language of your site or adjust them as you wish.

Then, save the configuration.

art 11

This way, we have finished the configuration of the module and each user will be able to enable it from their administrative panel.

Notice that we did not configure the option that makes mandatory the use of two-step authentication to users within the selected roles, we do this in order not to block the user accounts when they have not yet configured, once you are certain that all users have configured, it is advisable to configure this option.

art 12

How to enable it (as a user)

  1. On your mobile device download the Google Authenticator application

               a. For Android click on this link.

               b. For iOS click on this link.

      2. Login into your account on your Drupal site as you normally do.

      3. In the top administrative bar click on your username, this will display a bar with options, click on Edit profile.

drupal 1

    4. In the options that appear, click on Security

drupal 2

    5. In the first option to enable the Application for two-factor authentication, click on configure application.

drupal 3

   6. Enter your password, this is requested again for security purposes, then press the Confirm button.

drupal 4

   7. Now, you'll see a page where can be seen, among other things, a QR code. Open the Google Authenticator application on your mobile device, you will see an interface similar to the image below, as in that image, press the + icon to add and select Scan a QR code.

screen

   8. Scan the QR code and a 6-digit 2FA code will be randomly generated within your Google Authenticator APP. Enter the generated 6-digit code into your Google Authenticator and click enter and verify, make sure to enter the code before the countdown indicator on the right ends.

QR

   9. Upon completion and if everything has gone well, you will see a confirmation message in a green stripe and additional information below the date on which the option was enabled. You will also receive a message to your email address confirming that you have enabled the option. 

drupal 20

   10. Now note that below is the Recovery Codes option, we are also going to configure this option to generate fixed codes that we can use in the future in case we lose access to the application or if for some reason that method does not work. Click Generate Codes.

drupal 21

  11. You will be asked for the password again, enter it and press Confirm

drupal 22

 12. Note that a list of codes has been generated, copy them and save them in a safe place, so that if you need them you can use them. Finally press the button Save codes to account

codigos de rec

   13. Again you will see the confirmation in the green strip, and you will also see that the option to see the codes that have been generated or to reset them is enabled; with this we are finished.

How to use it (As a user)

Once you have enabled two-step verification, every time you enter the website after logging in as normal, you will now see an additional step where it will ask you for the app verification code.

  1. Open the Google Authenticator app on your mobile device
  2. Locate the record for the site and enter the code in the field, press the Verify button

como usuario

   3. Note that in case you do not have the application or it is failing, you can use the codes generated by clicking on Two-factor verification recovery code.

Known issues:

If at any point in the configuration you see something like the following message, it is because you need php 7.4

Parse error: syntax error, unexpected 'SettingsContainerInterface' 
(T_STRING), expecting function (T_FUNCTION) or const (T_CONST) in C:\laragon\www\testeqrcode_php\vendor\chillerlan\php-qrcode\src\QRCode.
php on line 153

We hope you found this explanation of installing, configuring, and using two-factor authentication for Drupal helpful.