Thumbnail
Two-Factor Login Security

Developed by

Expert
Expert
This add-on is easy to set up and a great addition to your website security strategy. The hard work of incorporating…

silasg

Protect all your critical accounts on Concrete5 websites even if someone knows or steals your password.

It’s like Cinderella’s slipper. She can give her name and confirm where she was before midnight, but it’s only when the slipper fits that Prince Charming knows she’s for real — Nick Asbury.

Here's the idea

Put simply, this extra layer makes it almost impossible to hack your account because it requires 2 things:

  • 1 thing you know: your password
  • 1 thing you have: your mobile phone
It's the same type of protection you have when you use your bank card in an ATM, you need something you know (your PIN) and something you have (your card)
 
Except with Two-Step Authentication, your phone is way smarter and more secure than your bank card :)

This is how it works

  1. You install the Google Authenticator app on your phone
  2. You set up Two-Factor Login Security on your website and activate it for any accounts you want to protect (I suggest Admin, for a start)
  3. You get your Secret Key in Google Authenticator on your phone (easily with a scannable QR Code)
  4. Next time you want to login to your site you'll be asked for your usual username and password
  5. If that checks correctly, you'll be asked for a Google Authenticator key as a second step

How is this more secure?

I can hear you think: but it sounds like I now have 2 passwords instead of 1. How is this more secure?

The difference is Google Authenticator codes have a very short period of validity. Less than 2 minutes. They can't be guessed because there's no time to guess them.

To be clear, to hack your account, one would have to obtain:

  1. Your username (easy)
  2. Your password (time-consuming but easy)
  3. Your mobile phone (hopefully you're being careful with that)
  4. Your phone unlocking password or pattern (again be careful)

Who is this for?

  • Anyone who wants to keep control of their website should use Two-Step security for admin accounts
  • Sites where users are given specific roles such as Editor, File Manager... should protect these accounts
  • Any sites where users have accounts with sensitive data (e-Commerce websites, schools, job boards...) should build trust with their clients by protecting their accounts
  • Anybody who's already activated Two-Factor Authentication on their email and social accounts (Gmail, Facebook...) knows how important it is and should do the same with their website
Current Version: 1.7.1
Fully Translatable: Yes
Needs External Libraries: No
Compatible 5.7.5.11+
License: Standard
Support Response: Replies to tickets every few days.
Support Hosted: On concrete5.org
Needs extra server permissions: No
Needs Internet: No
Marketplace Tests:
Passed Automated Tests
Passed PRB Review