Joomla community powered logo

Site Slogan

Two Factor Authentication - First Aid Kit

2FA - First Aid Kit - 2FA error logging in to Joomla tmbnl2FA is a very useful extra layer of security, especially if you want to protect your administrator accounts and the back end of your site: sniffing tools (packet analyzers) won't be a long term solution anymore to get access to the site, as for hackers this will only be a one time shot and once they're logged out they won't be able to enter the site anymore because of the secret key which is a time dependent one time password.

However, using 2FA is not without risk (and I can whitness this as I encountered the problem myself on two of my Joomla sites): if anything which is part of the calculation of the secret key changes on your website itself, you won't be able to use the secret key anymore and as a consequence you won't be able to login anymore.

We will touch these elements in our "First Aid Kit on 2FA":

Reasons why your secret key isn't allowing you to enter your site

There is more than one possibility which can ruin your 2FA system, but in a couple of cases there also is an easy solution. Let's first check what can go wrong:

  • Time Synchronization Problem
    • Time synchronization problem between the server of your site and the device which calculates your secret key
  • 2FA secret key generation problem
    • Your server has been moved to another machine by your provider (this can happen when you're on shared hosting and be sure they won't tell you!)
    • The value of the secret-field in your configuration.php has been changed - the $secret variable is created at setup of your site and is used internally by the Joomla system to encrypt part of its communication. If it's changed throughout the lifetime of your site, you will get in trouble as I experienced.

      2FA - First Aid Kit - secret in configuration file

    • You lost your secret key calculating device

You end up getting a screen like the one just beneath - not quite funny because the only next step possible is to log out and get back to the login screen where you have to re-enter your Secret Key ... and the loop continues.

2FA - First Aid Kit - 2FA error logging in to Joomla 

Bad Luck in every case ... but there are a couple of solutions.

How to solve the 2FA problem on your site even when you can't login as an administrator

Well, we're lucky because there are a couple of possible solutions:

Time synchronization problem

If there's only a problem with time synchronisation of your server, make sure you have your server and your secret key generation device in sync. You can do this using an internet time server as these machines can help your devices to be at the same time. A list of time servers can be found e.g. at to which you can connect with any of your devices to synchronize time. If you don't know how to synchronize your device(s) with a time server, please have a quick search on Google with search words 'time server how to'.

2FA secret key generation problem

If you have a problem with your 2FA system on the server itself or you lost your secret key generating device then you can take one of the following shortcut solutions:

  1. Solution 1: Rename the 2FA directory
    This way, Joomla will not find the necessary configuration files anymore so it will allow you to enter the site without entering your secret key
    If you have FTP access to your site, connect to it. Then execute the following steps:
    1. Find the directory plugins/twofactoraut

      2FA - First Aid Kit - directory plugins 2fa

    2. Rename this directory - e.g. add an extension .BAK to the directory name

      2FA - First Aid Kit - rename with extension BAK
    Please don't forget to remove the extension you added here (in this case .BAK) after you have done the necessary reset actions to re-enable the 2FA features of your site.

  2. Solution 2: Remove your 2FA secret code from the user database
    This way, Joomla will think you didn't activate 2FA for the user for which you removed the secret code and it will again allow you to enter the site without entering your secret key
    If you can access your database (e.g. using PHPMySQL) connect to your database. Then execute the following steps:
    1. Go to the database which is used by your Joomla site as the starting point, the one you used for setting up your site
    2. Get to know what the prefix is of the tables used by your Joomla site
    3. Find the table prefix_users

      2FA - First Aid Kit - phpMyAdmin - select users table

    4. Open the table and look for the Super User with which you log in
    5. Edit this user

      2FA - First Aid Kit - phpMyAdmin - select Super User

    6. Empty the field 'otpkey'

      2FA - First Aid Kit - phpMyAdmin - remove field otep

    7. Save your changes

      2FA - First Aid Kit - phpMyAdmin - Save

In all cases, please make sure after you can re-enter your site as an administrator to disable the 2FA plugins (Google Authenticator and Yubikey) as a first step and read the next section to get to know what to do afterwards. This step will make sure that no "old data" stay current and that all 2FA problems are solved at that moment by simply disabling it and making your site operational again for everybody - be it without 2FA.

If you disable the 2FA plugins, then all users will get back to the situation where they only have to use their password to log in. Even if the "Secret Key" field appears on the login screen, it won't take this into account as all users will be reset to "Two Factor Authentication Disabled".

Steps after you managed to get back into the backend of the server

Now you're back into your site's backend and you have disabled the 2FA plugins, it's time to check for the next steps.

Because you had to disable the 2FA possibilities to be able to enter your site again doesn't mean you really want to disable it. Now the good news is: you can just re-enable the 2FA plugins and you will be able to setup the whole system again, but you must be aware that all users who have setup this system will also need to re-configure their 2FA and at this moment there's no system to force them to do so except if you're sending a mail to all of your users telling them what's going on.

What steps do you have to take to be back on the 2FA level of authentication:

  1. Go to your user settings
  2. Go to the 2 Factor Authentication part of your settings (be it on the back end or on the front end, there is no difference in handling). You will see that everything seems to be in place, but the secret key  for GA has vanished and all emergency codes for both GA and Yubikey are gone. The message on the bottom clarifies that in fact the 2FA is not working anymore for the accounts.

    2FA - First Aid Kit - 2FA GA after reset resized  2FA - First Aid Kit - 2FA Yubikey after reset resized

  3. Choose to Disable the Two Factor Authentication and Save your settings
  4. Remove the account you just disabled on your code generator to avoid problems and misunderstandings later on
  5. Now choose to enable the 2FA method you would like to use. From this step on, you can continue as if you're just enabling 2FA for the first time. If you want to know exactly how to do this with the steps involved, please refer back to our series of articles where we explain the initial setup of Two Factor Authentication.


NOTE! This site uses cookies.

If you do not change browser settings, you agree to it. Learn more

I understand


To make this site work properly, we sometimes place small data files called cookies on your device. Most big websites do this too.

What are cookies?

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don’t have to keep re-entering them whenever you come back to the site or browse from one page to another.

How do we use cookies?

A number of our pages use cookies to remember:

Also, some videos embedded in our pages use a cookie to anonymously gather statistics on how you got there and what videos you visited.

Enabling these cookies is not strictly necessary for the website to work but it will provide you with a better browsing experience. You can delete or block these cookies, but if you do that some features of this site may not work as intended.

The cookie-related information is not used to identify you personally and the pattern data is fully under our control. These cookies are not used for any purpose other than those described here.

How to control cookies

You can control and/or delete cookies as you wish – for details, see You can delete all cookies that are already on your computer and you can set most browsers to prevent them from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit a site and some services and functionalities may not work.

You can find the full EU privacy guideline by clicking on this link