Increasing the security of your site, over the usual login layer, can be an important factor for many users. Whether this be for everyone, or just for the extra security of admin areas on your site.
Two factor Authentication allows you to add an extra layer of security to your site, by allowing you to add another form of login, such as security questions, or even text message authentication.
All two factor authentication settings can be found within the following location in your ACP
System -> Settings -> Two Factor Authentication
There are 3 different methods of 2 factor authentication, each of which are discussed below. When one of these is set up by the user, it will prompt the user for one of these secondary items after they have logged in.
The user can set up these items from their security settings in Account Settings -> Security settings. Here you can see I already have security questions set up. I can amend these using the option provided, or activate another if one is available.
When setting up these, the system will ask you any details required for you to set up that option. Here the system is asking us for 3 security questions.
Question Setup
In the default setup of the platform, there are 3 authentication types which you can allow (or even force) people to use on your site. These can all be seen within the following location of your ACP, and can be enabled by selecting the icon at the side of the relevant icon
System -> Settings -> Two Factor Authentication
The Authy method of authentication will allow users to authenticate via text message, phonecall, or by the Authy app which can be downloaded to the users phone. In order to set up authy, you would need to get an API key from the authy site
https://dashboard.authy.com/signin
Once you have this, add the API key in the location provided, and set up which options you wish to use for this.
Google authenticator will allow people to authenticate on the site using the google authenticator application on mobile (downloadable from the app store/play store). The only settings for this are which groups that can use it. Other than this, it simply needs switching on. No other configuration is needed.
When the user initially sets this up, they will be given a barcode to scan with the authenticate application. This will in turn, give a code to be entered into the site. Each time the user then enters the site, they will be asked for the code on their application, which will change every few seconds and is unique to that individual account
Google Authentication Setup
Setting up security questions for use will allow the user to answer any of the questions you have set up in their settings, and then be prompted to provide that same answer to a random one of those questions on login. On the settings page, you can set whether or not you wish for this to be mandatory, along with how many questions you want them to set up.
You will find on the questions tab, there are some pre-populated questions which are set up within the stock installation for your use. You can delete, edit, or add to these questions from this page
Question Creation
On the main settings page for Two Factor Authentication, you will find many different options relating to how this will work on your site. This includes the ability to set up groups in which setting up 2 factor authentication is mandatory, which can often be an important security consideration where groups have more access. For example, you may wish for the administrators group to have to set up 2 factor authentication.
In addition, here you can set up what prompts 2 factor authentication. So it may be that you want people to use this when logging into the ACP and changing passwords only, for example.
The email addresses and passwords that your members use on the site, are often the core security measure for a member accessing your site. As such it is important that these are both set up securely in the first place, and then kept secure once they are stored. In order to aid this, the software allows you to set up password strength limitations. This can be found within the fololwing location
System -> Settings -> Login & Registration
Of course, on occasion you may find reason to force your users to change their password on the site. This can be done from the following location, by selecting the "Force Password Reset" button at the top of the page
Members -> Members
If you need to do this only for an individual member, you can do this by selecting "Edit Password" then clicking the link provided within the password reset page for that member
Report Guide