#29605 Force 2 step verification just on backend

Posted in ‘Pre-sales and Account Questions’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Latest post by on Friday, 01 June 2018 17:17 CDT

Hi I've just installed Login Guard as we want to force 2 step verification for backend/admin users. However I can't find if this is possible/where to do it.
Is it possible? And if so where do I do it. I've clicked on the LoginGuard component but there wasn't anything there to set it.

I neither despise nor fear...

Akeeba Staff
The ticket title and the ticket text ask two different questions which have two diametrically opposite answers. So, let me explain.

Is it possible to only enable LoginGuard for the backend login page? No, you can't and you shouldn't. Joomla! uses the same login information to let users log into both the frontend (pubic site) and the backend (administrator area) of the site. Moreover, newer versions of Joomla! allow for a unified login where logging into the frontend will also log you into the backend and vice versa. By protecting only the backend login you are creating a massive security hole. The attacker could brute force your password (or use a stolen password) in the frontend and perform administrative functions or even log into the backend of the site.

Is it possible to only enable LoginGuard for users with backend access? Yes, absolutely, it's a feature that has existing in Joomla! since 2010, when Joomla! 1.6 Alpha 2 was released. Every Joomla! plugin allows you to set an Access Level. If you set LoginGuard's system and user plugins to Special access then only users with backend access will have Two Step Verification applied to their login.

The reason that works with LoginGuard but not with Joomla's Two Factor Authentication plugins is that LoginGuard is NOT Two Factor Authentication (2FA), it's Two Step Verification (2SV). The important bit is that 2FA must be provided with the login information, i.e. before the user is logged in. Therefore Joomla! has to ask it from everybody. On the other hand, 2SV operates with what is called a "captive login". The user logs in but then cannot proceed until they provide their 2SV. This means that at the point where we have to evaluate whether to ask the user for 2SV they are logged in and we know who they are and what kind of access they have.

And now, the question nobody asks. Should I only enable 2SV for specific user groups? No, you shouldn't do that on most sites. 2FA and 2SV are NOT site security features, they are user account security feature. It does not protect your site, it protects your users. If your users store personally identifiable information on your site when they are logged in, information not visible to the general public, it might even be legally advisable to enable 2SV for everybody to fulfill the EU's GDPR requirement for "appropriate technical measures" to protect your users' personal information.

So, in short, yeah, you can do what you have in mind but I wouldn't recommend it.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

System Task
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!