Two-Factor Authentication enhances the standard authentication protocol we use - which generally require a username and a password - by adding in the requirement for something that only you can have in your posession. You may have seen this kind of technology in use in other situations - for example smart-cards are often used in the National Health Service for this purpose.
What really made us sit up and take notice was the implementation of support for Yubikeys in the core of Joomla! 3.2 which was released in November 2013.
A Yubikey is a small device which fits on a keychain, and is inserted into the USB drive of your computer It comes in a couple of different varieties including the standard, Neo, VIP and Nano. We will be giving customers the option to choose which type of Yubikey you would like to have within your organisation - remember that these can also be used with a range of other applications including the popular LastPass system.
On pressing the gold button a One Time Password (OTP) is generated for use in an application or anything requiring authentication.
This password can then be checked against the Yubikey that is owned by the user logging in and verified in real time against either the YubiCloud server, or a server hosted on your own infrastructure.
The One Time Password is only valid for that use - it is immediately invalid thereafter - so even if the password were recorded, it would be useless.
How does this work with Joomla?
With our Joomla! 3.2 sites we will simply be enabling 2 Factor Authentication using the core plugins which ship with Joomla. The logins we use in the office will all be using YubiKeys by the end of November, and commencing in December we will be issuing Yubikeys to clients to facilitate Two Factor Authentication for their administrator users.
With sites running lower than 3.2, we will be installing some plugins which allow us to use the Yubikey Two-Factor Authentication system during December, and rolling out Yubikeys to clients during the New Year.
What will it cost?
We will be providing Yubikeys to clients at cost rate - you will require one for every user who logs into the 'back end' of your site as each key can only be associated with one user. Your account manager will be in touch during the coming months to ascertain how many you require and organise despatching them to you. We can also provide clear instructions as to how to implement this system if you would rather set up Two-Factor Authentication yourself.
We have had to recover a number of hacked and damaged sites in the past which have been compromised due to the username and password being guessed, stolen or simply compromised. While adding Two-Factor Authentication does not guarantee your site will not be hacked, it does add an extra level of security. We will also be implementing stronger password security on all sites running Joomla 3.2 and later.
What about servers?
Any clients who routinely interface with their servers via SSH or any other modality will also require a YubiKey to carry out these actions. Our Linux team lead will be in touch with you in due course to ensure that sufficient YubiKeys are ordered and to discuss the implementation of Two-Factor Authentication on your servers.