Increase security with MFA on your TYPO3 site
Security has always been a key factor for TYPO3. To improve user account security, TYPO3 v11 includes an additional security feature called multi-factor authentication (MFA). This increases security because authentication requires both a username+password combination (something a user “knows”) plus an additional factor (something a user “owns”), for example, a time-based password or a security key.
MFA has been integrated independent of the already existing “Authentication Services”. Therefore, already existing authentication mechanisms, such as LDAP or OAuth2, behave as before but can additionally be enhanced by activating MFA.
New security features often lead to a deteriorated user experience, because they require you to perform more tasks. It impacts your daily workflow, adding time and aggravation. To reduce this impact, MFA is implemented as a single step in the authentication process. Depending on the selected method, for example, security keys (currently only available as a TYPO3 extension), no additional clicks are necessary.
The same goes for setting up MFA. In case a user is required to use MFA, which can be configured by an administrator, a straightforward setup process is initiated as soon as the user tries to log into the backend. Depending on the selected method, setting up MFA can then be done with one to two clicks.
API for Extension Developers
Extension developers can implement custom MFA providers. A single PHP class handles the different tasks, such as activating the provider or verifying the authentication request. Registration is done via the service configuration (which was implemented in TYPO3 v10). You can add custom providers, or use them to replace the built-in providers.
Configuring MFA on your site
To tailor MFA to installation-dependant needs, administrators are equipped with a couple of configuration options, such as:
- Defining a recommended provider for specific users and user groups.
- Managing allowed providers for specific users and user groups.
- Enforcing MFA for specific users and user groups.
Supporting administrators in managing their installation has always been top-of-mind for TYPO3, and was no exception when implementing MFA. Several backend modules have been enhanced to report users’ MFA status. It’s also possible for administrators to manage the providers a user has activated in the corresponding user record. This is especially useful in case a user has locked a provider, due to submitting incorrect credentials multiple times.
In future TYPO3 versions, MFA will be available for frontend logins, too. Additionally, TYPO3 will also increase the number of built-in MFA providers. The focus is on the Webauthn standard, which allows usage of security keys and “built-in authenticators” (for example, TouchID on Apple MacBooks).
Increase your security now
Want to improve the security of your TYPO3 instance? Upgrade now to v11 or get in touch with us if you need help implementing MFA on your site.
We’re here to offer professional support with your upgrades to TYPO3 v11, or any topics regarding your TYPO3 projects