Two Factor Authentication - First Aid Kit
2FA is a very useful extra layer of security, especially if you want to protect your administrator accounts and the back end of your site: sniffing tools (packet analyzers) won't be a long term solution anymore to get access to the site, as for hackers this will only be a one time shot and once they're logged out they won't be able to enter the site anymore because of the secret key which is a time dependent one time password.
However, using 2FA is not without risk (and I can whitness this as I encountered the problem myself on two of my Joomla sites): if anything which is part of the calculation of the secret key changes on your website itself, you won't be able to use the secret key anymore and as a consequence you won't be able to login anymore.
We will touch these elements in our "First Aid Kit on 2FA":
- Reasons why your secret key isn't allowing you to enter your site
- How to solve the 2FA problem on your site even when you can't login as an administrator
- Steps after you managed to get back into the back end of the server
There is more than one possibility which can ruin your 2FA system, but in a couple of cases there also is an easy solution. Let's first check what can go wrong:
- Time Synchronization Problem
- Time synchronization problem between the server of your site and the device which calculates your secret key
- 2FA secret key generation problem
- Your server has been moved to another machine by your provider (this can happen when you're on shared hosting and be sure they won't tell you!)
- The value of the secret-field in your configuration.php has been changed - the $secret variable is created at setup of your site and is used internally by the Joomla system to encrypt part of its communication. If it's changed throughout the lifetime of your site, you will get in trouble as I experienced.
- You lost your secret key calculating device
You end up getting a screen like the one just beneath - not quite funny because the only next step possible is to log out and get back to the login screen where you have to re-enter your Secret Key ... and the loop continues.
Bad Luck in every case ... but there are a couple of solutions.
Well, we're lucky because there are a couple of possible solutions:
If there's only a problem with time synchronisation of your server, make sure you have your server and your secret key generation device in sync. You can do this using an internet time server as these machines can help your devices to be at the same time. A list of time servers can be found e.g. at http://tf.nist.gov/tf-cgi/servers.cgi to which you can connect with any of your devices to synchronize time. If you don't know how to synchronize your device(s) with a time server, please have a quick search on Google with search words 'time server how to'.
If you have a problem with your 2FA system on the server itself or you lost your secret key generating device then you can take one of the following shortcut solutions:
- Solution 1: Rename the 2FA directory
This way, Joomla will not find the necessary configuration files anymore so it will allow you to enter the site without entering your secret key
If you have FTP access to your site, connect to it. Then execute the following steps:
- Find the directory plugins/twofactoraut
- Rename this directory - e.g. add an extension .BAK to the directory name
- Find the directory plugins/twofactoraut
- Solution 2: Remove your 2FA secret code from the user database
This way, Joomla will think you didn't activate 2FA for the user for which you removed the secret code and it will again allow you to enter the site without entering your secret key
If you can access your database (e.g. using PHPMySQL) connect to your database. Then execute the following steps:
- Go to the database which is used by your Joomla site as the starting point, the one you used for setting up your site
- Get to know what the prefix is of the tables used by your Joomla site
- Find the table prefix_users
- Open the table and look for the Super User with which you log in
- Edit this user
- Empty the field 'otpkey'
- Save your changes
In all cases, please make sure after you can re-enter your site as an administrator to disable the 2FA plugins (Google Authenticator and Yubikey) as a first step and read the next section to get to know what to do afterwards. This step will make sure that no "old data" stay current and that all 2FA problems are solved at that moment by simply disabling it and making your site operational again for everybody - be it without 2FA.
If you disable the 2FA plugins, then all users will get back to the situation where they only have to use their password to log in. Even if the "Secret Key" field appears on the login screen, it won't take this into account as all users will be reset to "Two Factor Authentication Disabled".
Now you're back into your site's backend and you have disabled the 2FA plugins, it's time to check for the next steps.
Because you had to disable the 2FA possibilities to be able to enter your site again doesn't mean you really want to disable it. Now the good news is: you can just re-enable the 2FA plugins and you will be able to setup the whole system again, but you must be aware that all users who have setup this system will also need to re-configure their 2FA and at this moment there's no system to force them to do so except if you're sending a mail to all of your users telling them what's going on.
What steps do you have to take to be back on the 2FA level of authentication:
- Go to your user settings
- Go to the 2 Factor Authentication part of your settings (be it on the back end or on the front end, there is no difference in handling). You will see that everything seems to be in place, but the secret key for GA has vanished and all emergency codes for both GA and Yubikey are gone. The message on the bottom clarifies that in fact the 2FA is not working anymore for the accounts.
- Choose to Disable the Two Factor Authentication and Save your settings
- Remove the account you just disabled on your code generator to avoid problems and misunderstandings later on
- Now choose to enable the 2FA method you would like to use. From this step on, you can continue as if you're just enabling 2FA for the first time. If you want to know exactly how to do this with the steps involved, please refer back to our series of articles where we explain the initial setup of Two Factor Authentication.