2FA in Joomla - Issues & solutions
In all installations where software is involved, things can go wrong or don't work as expected. 2FA is no exception to this rule. In the list beneath, I tried to catch a couple of issues which are known as "high-probability" problems together with a solution. Of course, this list is not meant to be complete so if you find other scenarios and their solutions, please feel free to let me know.
There is also a "First Aid Kit for 2FA" available on this site, where you can find a lot more tips & trics if things seem to go wrong on your site when using 2FA.
Preparatory tasks before you switch to 2FA
Needless to say, but for the case of completeness I always tell this when explaining 2FA: always take a back up of your site before you change this kind of security settings. If you don't succeed in getting back into the adminstrator part of your site, it can be a real life saver if you have a backup of only a couple of minutes ago. I know it's not easy if you have a heavy traffic site, but it can help to restore a situation where you can try to recover your site the best as possible.
On the other hand, it's always a good idea to take a backup of your site and restore it on a non-production site where you can test the procedure before executing it on your life site. By using a backup (preferably Akeeba Backup), you restore a mirror of the site where you will do the final update, so you have a quite good simulation of what you can expect. Of course, this is no guarantee that 2FA activation will turn out exactly the same on your life site as tested on a non-production mirror.
- 2FA is activated but I don't see the Secret Key field appearing in my login screen
- Check if your login module is 2FA ready
Sometimes, especially when you use third party login applications, the modules are not developed with 2FA in mind. When this occurs, there is no solution but to switch to another login application/module/plugin
- Check if your template is 2FA ready. The same as for modules, some templates are also not developed with 2FA in mind. The same solution applies: switch to another template!
- Check if your login module is 2FA ready
- I generate my login secret key, but my site refuses it
- Make sure your site and your device where you generate the secret key are both synchronized to a specific clock. As the secret code is generated using the exact moment in time, the server will think it has to get another secret key than what your device generates if the time difference is too high
- If you don't succeed in getting your server and your secret key device in sync, a final solution you can always use is to use one of the one time emergency passwords. These passwords will always allow you to log in with a secret password. But be aware that a "one time" emergency password is meant just for 1 use, so once it is used make sure you have at least one more of these available in your pocket.
- My generator device has given up (or I've lost my phone, my phone was stolen, ...)
- You can always use your one time emergency passwords (one from your list, once it is used you can't use it anymore later on!) to enter your site when you don't have another device where you can generate your secret code
- It's always a good idea to have a second backup device which can also generate your secret code. E.g. I have my Android phone which I use as my secret generating device, but I've also installed and configured a code generating application on my desktop computer
- My account is not actived for 2FA but I get a "secret key" field
- Once at least one of the plugins for two factor authentication is enabled, all users will get an extra field where they can fill their secret key. If your user account is not activated with 2FA, you can leave this input field empty and everything will work fine as it was before
- I am a user of a site and I've lost my authentication device. Furthermore, my list of 1 time passwords is lost
- You can ask an administrator of the site to deactivate your 2FA - they have the power to change your user but should of course only do this if you ask for it. Normal procedure would be that they disable 2FA on your user, you can then log in without the extra field to be filled and you can reactivate the 2FA method of your choice.