Support

Pre-sales

#29605 – Force 2 step verification just on backend

Posted in ‘Pre-sales and Account Questions’
This is a public ticket. Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Tuesday, 01 May 2018 19:56 CDT
Hi I've just installed Login Guard as we want to force 2 step verification for backend/admin users. However I can't find if this is possible/where to do it.
Is it possible? And if so where do I do it. I've clicked on the LoginGuard component but there wasn't anything there to set it.

I neither despise nor fear...

twh.creations
Wednesday, 02 May 2018 03:10 CDT
The ticket title and the ticket text ask two different questions which have two diametrically opposite answers. So, let me explain.

Is it possible to only enable LoginGuard for the backend login page? No, you can't and you shouldn't. Joomla! uses the same login information to let users log into both the frontend (pubic site) and the backend (administrator area) of the site. Moreover, newer versions of Joomla! allow for a unified login where logging into the frontend will also log you into the backend and vice versa. By protecting only the backend login you are creating a massive security hole. The attacker could brute force your password (or use a stolen password) in the frontend and perform administrative functions or even log into the backend of the site.

Is it possible to only enable LoginGuard for users with backend access? Yes, absolutely, it's a feature that has existing in Joomla! since 2010, when Joomla! 1.6 Alpha 2 was released. Every Joomla! plugin allows you to set an Access Level. If you set LoginGuard's system and user plugins to Special access then only users with backend access will have Two Step Verification applied to their login.

The reason that works with LoginGuard but not with Joomla's Two Factor Authentication plugins is that LoginGuard is NOT Two Factor Authentication (2FA), it's Two Step Verification (2SV). The important bit is that 2FA must be provided with the login information, i.e. before the user is logged in. Therefore Joomla! has to ask it from everybody. On the other hand, 2SV operates with what is called a "captive login". The user logs in but then cannot proceed until they provide their 2SV. This means that at the point where we have to evaluate whether to ask the user for 2SV they are logged in and we know who they are and what kind of access they have.

And now, the question nobody asks. Should I only enable 2SV for specific user groups? No, you shouldn't do that on most sites. 2FA and 2SV are NOT site security features, they are user account security feature. It does not protect your site, it protects your users. If your users store personally identifiable information on your site when they are logged in, information not visible to the general public, it might even be legally advisable to enable 2SV for everybody to fulfill the EU's GDPR requirement for "appropriate technical measures" to protect your users' personal information.

So, in short, yeah, you can do what you have in mind but I wouldn't recommend it.


Nicholas K. Dionysopoulos

Lead Developer and Director



Greek: native

English: excellent

French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



nicholas
Friday, 01 June 2018 17:17 CDT
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
system
This ticket is closed, therefore read-only. You can no longer reply to it. If you need to provide more information, please open a new ticket and mention this ticket's number.

Support Information

Working hours: Typically we work Monday to Friday, 9am to 7pm Cyprus timezone (EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets, but we cannot respond to them, outside of our working hours.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!

Cookies Notification - Action required

This website uses cookies to provide user authentication and improve your user experience. Please indicate whether you consent to our site placing these cookies on your device. You can change your preference later, from the controls which will be made available to you at the bottom of every page of our site.