Title: How to Setup Multi-Factor Authentication (MFA) for a Drupal Site

Published: September 29, 2024
By Mya Schaefer, Senior Consultant, Berkshire Solutions LLC

Abstract: This document provides step-by-step instructions for setting up Multi-Factor Authentication (MFA) on a Drupal site, offering an extra layer of security for user accounts. The guide covers installing necessary modules, configuring MFA with Google Authenticator or similar apps, and enforcing MFA for selected user roles. It also includes additional security considerations, such as offering backup codes and setting up hardware-based MFA using Yubikey. By following these instructions, Drupal administrators can enhance site security and protect against unauthorized access.

Getting Started: Setting up Multi-Factor Authentication (MFA) for a Drupal site adds an extra layer of security, which is especially important for protecting admin accounts. Here’s how you can set up MFA in Drupal using common methods, such as time-based one-time passwords (TOTP) with apps like Google Authenticator, or using modules designed for MFA.

Steps to Set Up MFA on a Drupal Site

1. Install the Required Modules

First, you need to install and enable the necessary modules to enable MFA functionality on your Drupal site. Some popular options are:

  • TFA (Two-Factor Authentication): Provides two-factor authentication capabilities for your Drupal site.
  • Google Authenticator Login: Adds TOTP authentication using Google Authenticator.
  • Yubikey: If you use hardware-based MFA (e.g., Yubikey).
Steps to Install Modules:
  1. Go to Extend in your Drupal admin menu.
  2. Search for the MFA-related module (e.g., TFA).
  3. Check the box next to the module name.
  4. Click Install.
  5. Alternatively, if you need to install manually, download the module from Drupal.org, upload it to your /modules directory, and enable it from the Extend page.

2. Configure Two-Factor Authentication (TFA) Module

After installing the TFA module, configure it for MFA on your site. The TFA module works well with Google Authenticator, SMS, or email-based authentication.

Steps:
  1. Navigate to: Configuration > People > TFA Settings.
  2. Enable TFA: Under the settings page, select the authentication methods you want to enable. Common options include:
    • Time-based one-time passwords (TOTP) for apps like Google Authenticator or Authy.
    • SMS-based codes.
    • Email-based verification codes.
  3. Configure TFA Methods:
    • For TOTP: Select “Google Authenticator” or similar apps. Users will need to scan a QR code with the app to receive time-based codes.
    • For SMS or Email: Ensure your site can send SMS or email verification codes by configuring your site’s mail or SMS gateways.
  4. Set Required Roles: You can decide whether MFA is required for all users or just for specific roles (e.g., administrators).
  5. Save the configuration.

3. Set Up Google Authenticator or Authy (For TOTP)

To use Google Authenticator or similar TOTP apps, each user will need to set it up individually.

Steps for Users:
  1. Download the Google Authenticator or Authy app from the app store.
  2. Log into the Drupal site as the user.
  3. Go to Account Settings.
  4. Set up MFA: Once the user visits their profile page, they will be prompted to scan a QR code using their authentication app.
  5. After scanning, the app will start generating one-time passcodes.
  6. Verify: Users will need to enter the code generated by their app to complete the setup.

4. Enforce MFA on Login

To ensure that MFA is enforced when users log in:

  1. Go to Configuration > People > TFA Settings.
  2. Ensure TFA is set as required on login for the desired user roles (e.g., administrators).
  3. Test the MFA by logging out and back in, ensuring you’re prompted for the second authentication factor.

5. Additional Security Considerations

To strengthen the security of your MFA implementation, consider the following:

  • Backup Codes: Offer users backup codes in case they lose access to their TOTP app.
  • Account Recovery: Provide account recovery options, such as email-based recovery or support contact information, in case users lose access to their second factor.
  • Logging and Monitoring: Ensure login attempts and MFA failures are logged for auditing and security monitoring.

6. Test MFA

Test the setup by: - Logging in with a user account that has MFA enabled. - Verify that the second authentication factor (Google Authenticator, SMS, email, etc.) is required after entering the username and password.

7. Optional: Add Yubikey Support

If you’re using hardware MFA like Yubikey, you can install the Yubikey module: - Install the module. - Configure it in the Yubikey Settings page. - Follow instructions to register users’ Yubikeys.

  1. TFA (Two-Factor Authentication):
    • Provides general two-factor authentication, including support for Google Authenticator and other TOTP apps.
    • Download: TFA Module
  2. Google Authenticator Login:
  3. Yubikey:

Summary of Steps:

  1. Install the necessary module (TFA, Google Authenticator, or Yubikey).
  2. Configure the module’s settings in Configuration > People > TFA Settings.
  3. Set up your preferred MFA methods (TOTP, SMS, email, etc.).
  4. Have users configure their accounts (QR code scanning or registering hardware keys).
  5. Enforce MFA for login.
  6. Test the implementation.

Please contact Berkshire Solutions if. you'd like help installing MFA for your Drupal site.


 

Keywords:

• Multi-Factor Authentication (MFA)

• Drupal Security

• Google Authenticator

• TFA Module

• Yubikey

• Two-Factor Authentication (2FA)

• Drupal User Authentication

• Cloud Security

• Account Protection

• Secure Login

 

Primary Category
Confidentiality
No