In this blog post we are going to talk about how we at Problue Solutions provide two-factor authentication on our client’s websites using the Drupal framework, to protect the account of the website administrator and staff, or the accounts of users, or both.
Two-factor authentication (2FA), sometimes referred to as two-step verification or dual-factor authentication, is a security process in which users provide two different authentication factors to verify themselves.
Two-factor authentication adds an additional layer of security to the authentication process by making it harder for attackers to gain access to a person's devices or online accounts because, even if the victim's password is hacked, a password alone is not enough to pass the authentication check.
If you use online banking, you have probably already used two-factor authentication, where you must provide a code generated by an app or a code sent in an SMS text message, in addition to your password, before you can log into your account.
Two-factor authentication is becoming increasingly common on websites, with many now enforcing its use to improve the security of user’s accounts. If you run a website which allows users to log in, or you are thinking of having a website developed, then you should consider having two-factor authentication built into the solution.
A few different technologies are required in combination to provide our two-factor authentication solution:
Two-factor authentication module (TFA)
TFA is a base module for providing two-factor authentication for Drupal. As a base module, TFA handles the work of integrating with Drupal, providing flexible and well tested interfaces to enable various two-factor authentication solutions like Time-based One Time Passwords (TOTP), SMS-delivered codes, pre-generated codes, or integrations with third-party services like Authy, Duo and others.
The TFA module requires encryption to prevent a hacker intercepting data. We use the Sodium (libsodium) library which comes as standard in the PHP programming language and provides symmetric encryption and decryption of data.
Sodium works together with the Encrypt module which is an API that connects together encryption methods and tools, this in turn uses the Key module which provides the ability to improve Drupal security by managing sensitive keys (such as API and encryption keys).
Google Authenticator Login
The Google Authenticator Login module provides a Time-based One-time Password algorithm (TOTP) support to user logins. It works with Google's Authenticator, Authy, FreeOTP and any other TOTP-based authenticator applications. This is the part of the solution that connects to the authenticator app on your phone.
The authenticator login module leverages the php QRCode library to generate on-screen QR codes as part of the two-factor authentication set-up.
Using all of the above modules and technologies we build our preferred solution which is to force users to set up two-factor authentication when they initially attempt to log into your website. The user is presented with the below screen where they can use the Google authenticator app (or one of the other supported apps) to scan the QR code and then input the provided verification code from the app.
Once set up is complete, each time the user logs into the website they will be asked for a verification code from the Google authenticator app, in addition to their password.
If you are interested in having two-factor authentication set up on your website and would like to discuss further, get in touch.