Drupal 8 two Factor authentication using Google Authenticator app
Two-factor authentications make login process more secure by introducing additional steps for log in apart from user name and password.
Here we are discussing about how we can achieve two factor authentication in a Drupal 8 website using TFA contributed module(https://www.drupal.org/project/tfa) and Google authenticator app.
So after the integration of all dependent modules and TFA , after normal log in, users asked to enter a 6 digit code in an application verification input box. Users have to enter 6 digit code that appears in the authenticator app. Here we will discuss the whole process in detail.
Before installing TFA we have to install dependent modules and configure those modules.
We are dividing this article into the below steps.
- install encrypt module
- install and configure real_aes and key module
- install and configure TFA module and ga_login module
Step 1 – install encrypt module
Real aes module has a dependency on the encrypt module . so we have to install encrypt module first .
Step 2 –install and configure real_aes and key module
We are going to configure Encryption module real_aes and key module.
Encryption Method – [Real AES](https://www.drupal.org/project/real_aes)
Some encryption method module is required to be able to use the Key and Encrypt
Install key module (https://www.drupal.org/project/key)
Then enable key and RealAES module
Real RES module need Defuse PHP-Encryption library so you have to install this module using below composer command
composer require drupal/real_aes
next, we are going to generate an encryption key using the command prompt. This is needed in the key configuration window.
Configuration -> System->keys
Generate a base64 key in command line
Use below command in linux
dd if=/dev/urandombs=32 count=1 | base64 -i - > /var/www/html/your_project/encrypt.key
Visit the Keys module’s configuration page and click “Add Key”
Provide information’s below
Next step is to define encryption profiles.
The encrypt module allows the site owner to define encryption profiles that
can be reused throughout Drupal website. The TFA module requires an encryption profile.
We already installed the encryption module. Navigate to below page
Configuration ->system->encryption profile
Click on “Add Encryption Profile”
Fill the below details.
- Label your Encryption Profile
- Encryption method: “Authenticated AES (Real AES)” – or the encryption method
of your choice.
- Encryption Key: Select the Key you created in the previous step.
Next step install TFA module.
Step 3 – install and configure TFA module and ga_login module
Download TFA module from the below link.
next we have to install Google authenticator module from below link.
This module has multiple PHP library dependencies. See below dependencies.
So use composer to install this module.
Use below composer command
composer require drupal/ga_login
Enable this module.
Now we have installed all required modules. Next we are going to configure TFA module.
Navigate to TFA configuration under configuration-> People.
Select Enable TFA for account authentication.
Encryption profile we have to select what we have created in the previous step.
Keep other values as default.
In the permission page, you can select roles to set up TFA of their accounts.
If this access granted user can set up TFA in their security tab of profile page.
Clicking on the link redirect to below page where you have to provide you current password.
Next page you can see the QR code.
Download Gooogle authenticator App from app Store.
Play store link
Apple app store link
click on ‘+’ button and scan QR code. then the authenticator app will provide 6 digit verification code that you can provide in the above application verification code field.
Click verify and Save and you can see success message and list of recovery codes.
Now all set up completed. Next we are going to logout and login again using 2 factor auth.
Login using your username and password. After click on login button , system will ask verification code.
Open your Google authenticator app.
enter 6 digit code appears in authenticator app in box shown above.
After click on verify system will redirect to admin screen.
So our entire TFA set up completed and we have tested whole functionality . note one thing in your authenticator app, you can add multiple accounts. Also 6 digit code appearing in app keep on changing within 3 -4 second.