As an additional security measure, we’ve added in our Blog toolbox plugin two step auth verification/login. For someone who didn’t hear about two step authentication, we’ll explain it right now.
Two step authentication is like another security layer in one of many security layers which exist and which are implemented in login procedure. It is an additional and second step in login verification and its main purpose is protection and preservation of the user's data from hackers or other types of malicious attacks.
We’ve implemented two step authentication in our plugin and it comes as an option by default. Backend users may or may not activate it, it’s all up to them to decide. Now we’ll tell you how to activate two step authentication and how it works in detail.
When you login for the first time in the backend administration, in order to enable two step authentication you have to go to the Settings section, then to the System menu and inside that click on Administrators part. Now, when you want to add a new user/administrator, inside you can also find a new checkbox “Enable two step authentication?”. If you want to enable two step authentication, you should check this checkbox. This option should be checked by every user himself. Super admin shouldn’t decide about this for any user.
After you’ve checked it, one new field for recovery email and a button for downloading a token will appear. This recovery email is your second email or backup email you should enter in case you lose access to your primary email and this email is used in recovery process. It is a very important field and you shouldn’t ignore it, because if you don’t enter this recovery email and you lose access to your primary email while having two step authentication enabled, you’ll then stay locked in forever in the login procedure and won’t be able to access the backend administration.
Another very important step is to click on a new button which says: “Download token as txt file”. This is a very important step also because this token is always the same, it is used in recovery process and because recovery email and this token are both used as combination in recovery process. Beware, you can download this token only for yourself. Admin can't download other users token. What does this mean? It means that, if you are logged in as admin in administration and can see other users, you can’t download their token, you can only download yours. This is made in this way, in order to make user information secure and protected.
From what you can see, both recovery email and token are very important and if you lose access to any of them, you won’t be able to finish the two step auth procedure and you won’t be able to continue anywhere from here. So, please, enter your recovery email and download that token, and after you’ve done all that, if you want to be extra cautious, write that recovery email and token somewhere else also, so you don’t lose access to them.
When you enable two step authentication, you won’t be logged out immediately. You can still browse through backend administration and do regular stuff like you’ve done before. We did this in order not to ruin your user experience. You’ll get a two step authentication page when you log out.
Now we’ll describe to you how the two step authentication procedure works. When you are logged out and if you try to access backend administration, you’ll get the default OctoberCMS login page as you would normally get. Here you have to enter your default login data for backend administration.
After you enter your data and if everything is in order, you’ll then get a two step authentication page. This page is simple. It has an token input field, “generate token” button and send button. Beneath that you can see some text and link for the recovery process.
On this page, you are required to enter a two step authentication token in a token input field. You’ll receive this two step authentication token in your email immediately after you get to this page (although please be patient and check the “spam” folder also if you don’t see that email, because email can sometimes arrive in a minute or later). If you get this email and after you insert that token in a token input field and click on the send button, you’ll pass to backend administration if everything is correct.
If for some reason, you don’t get token on your email or if you get “token is invalid” message, you can click on generate token button and once again you shall receive new two step authentication token in your email which then you have to insert in a token input field, in order to pass this verification and enter the administration area.
If you lose access to your primary email or if for some reason you didn’t receive a token in your primary email, you can click on a link below which is for the recovery process.
Once you click on that link, you’ll be on a new page which is a page for the recovery process. On this page, you now have two new fields and one button. Here you should enter your recovery email and recovery token we’ve mentioned previously above and which you had to enter in administration and save (write it down and remember) for this process. If you entered everything correctly, you’ll be once again redirected to a two step authentication page and you shall receive a token on your recovery email. You then need to enter that token in the token input field and after that you can access backend administration.