With TYPO3 version 11, TYPO3 has some new security features on board, such as multi-factor authentication (MFA) since v11.1. Multi-factor authentication can be integrated in just a few simple steps.
Furthermore, TYPO3 developers can develop their own MFA providers (MFA API) or find more in the TYPO3 Extension Repository (TER) in addition to the MFA providers supplied in TYPO3 v11.1.
This article focuses on the administration of the MFA providers supplied in v11.1: Time-based one-time password and recovery codes.
Activate an MFA provider
Time-based one-time password s and recovery codes are so-called MFA providers that offer a way to authenticate yourself to the system. Several MFA providers can also be active in parallel and individually for each BE user.
So that backend users who are not TYPO3 admins can also use MFA providers, a TYPO3 admin must allow these MFA providers in a corresponding BE group, which is assigned to the relevant BE users:
User settings
An MFA provider is administered in the User settings module. Here too, the TYPO3 administrator should ensure that this module is available to the BE user.
The Account security tab contains the new Multi-factor authentication option, which offers a button for setting up or managing the MFA provider, depending on the MFA status:
Setup
The MFA provider Time-based one-time password requires a six-digit code when logging in, which is only valid for 30 seconds. This requires an OTP application (One-Time Password), such as Google Authenticator or 1Password, which displays this six-digit code.
The recovery codes MFA provider is intended as a fallback if the standard provider, in this case the time-based one-time password MFA provider, cannot be used in any way (e.g. smartphone or OTP application not working).
If the BE user sees the following screen, he has not been authorized by a TYPO3 administrator to activate an MFA provider (see also"Activating an MFA provider"):
When setting up the time-based one-time password MFA provider, an OTP application, such as the aforementioned Google Authenticator, is required to scan the QR code and then enter the six-digit code in the Enter the generated six-digit code field for confirmation:
For example, in the Google Authenticator, the TYPO3 site name (TYPO3 v11) and the BE user (user) appear in brackets:
Once the setup is complete, the MFA overview appears again and you can activate additional MFA providers or adjust or deactivate those that are already active:
Now we activate the recovery codes MFA provider as a fallback. This generates eight-digit codes that should be stored in a safe place. Saving the recovery codes can take a few seconds, as additional encryption takes place here - so don't be surprised if it doesn't continue immediately when saving:
Backend login with MFA
After activating the two MFA providers, a prompt for the one-time password (time-based one-time password) appears at the backend login after the usual prompt for the user name and password. Other MFA providers are also displayed, in our case the recovery codes MFA provider:
If too many attempts to verify with the corresponding codes have failed, TYPO3 informs the user with a corresponding message:
An MFA provider can either be unlocked by a TYPO3 admin, e.g. by switching to the corresponding user via the backend user module and unlocking the MFA provider in the user settings, or the BE user can log in with an alternative provider (e.g. recovery codes) and then also unlock the locked MFA provider in the user settings (Unlock):
It is also worth mentioning that a TYPO3 administrator can delete/deactivate (but not unlock) activated MFA providers in the BE user record (tab title: General):
Official TYPO3 documentation / other MFA providers
The official TYPO3 documentation https://docs.typo3.org/m/typo3/reference-coreapi/11.5/en-us/ApiOverview/Authentication/MultiFactorAuthentication.html shows further configuration options, as well as instructions for registering your own MFA provider via the MFA API.
In the TYPO3 Extension Repository you can find further MFA providers with the search term "mfa": https: //extensions.typo3.org/?L=0&id=1&tx_solr%5Bq%5D=mfa
Bonus: Rate Limiter
As mentioned at the beginning, new security features have been integrated in TYPO3 v11 and another one I stumbled across is the rate limiter (Symfony library). When testing the new MFA feature, I too often entered my username and password incorrectly in quick succession and received the following message:
Using a flush cache (maintenance module) in the TYPO3 backend, I was able to remove this lock again. However, this removes all login locks - just a side note.
The backend login, as well as frontend logins, are protected by this security feature, so that too many failed logins from the same IP address trigger a login lock. Of course, this feature can also be customized, whether for the backend or frontend login. An example of the backend login:
$GLOBALS['TYPO3_CONF_VARS'][BE][loginRateLimit] = 5;
$GLOBALS['TYPO3_CONF_VARS'][BE][loginRateLimitInterval] = '15 minutes';
$GLOBALS['TYPO3_CONF_VARS'][BE][loginRateLimitIpExcludeList] = '';
You can find rate limiter documentation here:
https://docs.typo3.org/c/typo3/cms-core/master/en-us/Changelog/11.3/Feature-93825-RateLimitingForFailedLogins.html
