How TFA module works
Last updated on
8 December 2020
Drupal 7 will no longer be supported after January 5, 2025. Learn more and find resources for Drupal 7 sites
This page describes how the Two-Factor Authentication module (TFA) version 2.x module works within Drupal to provide 2FA options for authenticating with Drupal sites.
For more specific details it is recommended that you read the TFA source code.
At a high-level, TFA module does the following 3 things:
- Hook into standard Drupal login after username and password is validated
- Redirect to form entry for 2FA code
- Validate 2FA code and finish Drupal authentication
The normal Drupal authentication flow:
- User enters authentication information (username and password) on Drupal login form and submits.
- Drupal validates this information and if valid will create a new session for the user identifying them as an authenticated user.
- The authenticated user is redirected to a particular destination if set or else to their user profile page.
TFA module changes the authentication flow to:
- User enters authentication information (username and password) on Drupal login form and submits.
- Drupal validates this information and if valid will create a new session for the user identifying them as an authenticated user.
- The TFA module implements the Drupal user login hook
- TFA checks if the logged in user should go through TFA and if so will log out the user so they must go through TFA
- TFA will start the TFA process for confirming user identity (e.g. for a TFA SMS plugin the code will be sent via SMS at this point)
- The logged out user is redirected to a TFA form for entering a code to confirm identity
- TFA validates the code and if correct will re-authenticate the user
Help improve this page
Page status: No known problems
You can:
You can:
- Log in, click Edit, and edit this page
- Log in, click Discuss, update the Page status value, and suggest an improvement
- Log in and create a Documentation issue with your suggestion
