Joomla community powered logo

Site Slogan

Details

 

← Step 3: new login screen | 2FA Overview →

 

2FA in Joomla - Issues & solutions

In all installations where software is involved, things can go wrong or don't work as expected. 2FA is no exception to this rule. In the list beneath, I tried to catch a couple of issues which are known as "high-probability" problems together with a solution. Of course, this list is not meant to be complete so if you find other scenarios and their solutions, please feel free to let me know.

There is also a "First Aid Kit for 2FA" available on this site, where you can find a lot more tips & trics if things seem to go wrong on your site when using 2FA.

Preparatory tasks before you switch to 2FA

Needless to say, but for the case of completeness I always tell this when explaining 2FA: always take a back up of your site before you change this kind of security settings. If you don't succeed in getting back into the adminstrator part of your site, it can be a real life saver if you have a backup of only a couple of minutes ago. I know it's not easy if you have a heavy traffic site, but it can help to restore a situation where you can try to recover your site the best as possible.

On the other hand, it's always a good idea to take a backup of your site and restore it on a non-production site where you can test the procedure before executing it on your life site. By using a backup (preferably Akeeba Backup), you restore a mirror of the site where you will do the final update, so you have a quite good simulation of what you can expect. Of course, this is no guarantee that 2FA activation will turn out exactly the same on your life site as tested on a non-production mirror.

Issue List 

  1. 2FA is activated but I don't see the Secret Key field appearing in my login screen
    • Check if your login module is 2FA ready
      Sometimes, especially when you use third party login applications, the modules are not developed with 2FA in mind. When this occurs, there is no solution but to switch to another login application/module/plugin
    • Check if your template is 2FA ready. The same as for modules, some templates are also not developed with 2FA in mind. The same solution applies: switch to another template!
  2. I generate my login secret key, but my site refuses it
    • Make sure your site and your device where you generate the secret key are both synchronized to a specific clock. As the secret code is generated using the exact moment in time, the server will think it has to get another secret key than what your device generates if the time difference is too high
    • If you don't succeed in getting your server and your secret key device in sync, a final solution you can always use is to use one of the one time emergency passwords. These passwords will always allow you to log in with a secret password. But be aware that a "one time" emergency password is meant just for 1 use, so once it is used make sure you have at least one more of these available in your pocket.
  3. My generator device has given up (or I've lost my phone, my phone was stolen, ...)
    • You can always use your one time emergency passwords (one from your list, once it is used you can't use it anymore later on!) to enter your site when you don't have another device where you can generate your secret code
    • It's always a good idea to have a second backup device which can also generate your secret code. E.g. I have my Android phone which I use as my secret generating device, but I've also installed and configured a code generating application on my desktop computer
  4. My account is not actived for 2FA but I get a "secret key" field
    • Once at least one of the plugins for two factor authentication is enabled, all users will get an extra field where they can fill their secret key. If your user account is not activated with 2FA, you can leave this input field empty and everything will work fine as it was before
  5. I am a user of a site and I've lost my authentication device. Furthermore, my list of 1 time passwords is lost
    • You can ask an administrator of the site to deactivate your 2FA - they have the power to change your user but should of course only do this if you ask for it. Normal procedure would be that they disable 2FA on your user, you can then log in without the extra field to be filled and you can reactivate the 2FA method of your choice.
© Edoozeh 2023

Edoozeh is not affiliated with or endorsed by the Joomla Project or Open Source Matters. The Joomla logo is used under a limited license granted by Open Source Matters the trademark holder in the United States and other countries.

↑ Top

NOTE! This site uses cookies.

If you do not change browser settings, you agree to it. Learn more

I understand

Cookies

To make this site work properly, we sometimes place small data files called cookies on your device. Most big websites do this too.

What are cookies?

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don’t have to keep re-entering them whenever you come back to the site or browse from one page to another.

How do we use cookies?

A number of our pages use cookies to remember:

Also, some videos embedded in our pages use a cookie to anonymously gather statistics on how you got there and what videos you visited.

Enabling these cookies is not strictly necessary for the website to work but it will provide you with a better browsing experience. You can delete or block these cookies, but if you do that some features of this site may not work as intended.

The cookie-related information is not used to identify you personally and the pattern data is fully under our control. These cookies are not used for any purpose other than those described here.

How to control cookies

You can control and/or delete cookies as you wish – for details, see aboutcookies.org. You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit a site and some services and functionalities may not work.

You can find the full EU privacy guideline by clicking on this link