Drupal.org users* can now use Two factor authentication to increase the security of their accounts. It can be enabled via Security tab of your user profile page. Read the detailed instructions at Enabling TFA on Drupal.org.

This was made available to Drupal.org admins in May. It is now required for users who have advanced access on Drupal.org. However, every user can benefit from the security that two factor authentication offers.

If you want to make two factor authentication available on your own Drupal site, you can install the TFA module.

* Two factor authentication is available for all users with the 'confirmed user' role. If you don't see 'Security' tab on your profile page, you might be missing the role. Just keep posting content on Drupal.org and it will be granted soon. You can also apply to get the role.


gaele’s picture

The TFA module has no stable release yet, so it does not get Drupal Security Team support. Is that right? Or are modules used on drupal.org treated differently?

(Edit: hmm, I see there is an older 7.x-1.0, but that version is no longer supported by the module maintainers.)

DamienMcKenna’s picture

The v2 is receiving constant improvements by coltrane and, to a lesser degree, greggles, with beta2 released in May. I suspect it shouldn't take too long for the final 2.0 to be released.

Damien McKenna | Mediacurrent

coltrane’s picture

We also ran TFA through a security bug bounty program to test for vulnerabilities in the code. You can read about it at https://groups.drupal.org/node/439868 but the brief is, no one bypassed TFA!

greggles’s picture

Hi Gaele,

There are issues tracking the release status where the remaining issues to be fixed prior to a stable are listed. Perhaps you can help move them forward?

#2241821: Plan for TFA 7.x-2.1 release
#2243871: [meta] Tracking next release

It is always acceptable to report a security issue in a contrib (regarldess of status) to the security team site. However when an issue comes in we will triage it and will not do a security advisory if it doesn't have a stable release. For modules used on drupal.org, we encourage people to report the security issues privately even if the module is not in a stable status. There are many modules that are not stable that are used on drupal.org (and especially on *.drupal.org). It would be great if they were all in a stable state, but...it all takes time :)

CARD.com :)

Claurence006’s picture

When the stable release will be released ? Do you have this information ?

davidstorm’s picture

With all the automatic robots spam on Drupal systems I must say it is a blessing!
Thanks for implementing that.

echris’s picture

Now we are talking!! I've been waiting a long time to see this tool been implemented and hoping to use it for all past and future Drupal sites. Thanks guys for doing this. Drupal Rocks! and so are you.

pal4life’s picture

I like Drupal's eating its own dog food approach and adding these features to Drupal.org, we recently integrated this module on one of our client sites as well. My question is how can we get involved with the development effort for Drupal.org site itself. Thanks.

gorrion007’s picture

I also I added this module on a mine site.

JurriaanRoelofs’s picture

Nice to see there is some progress in authentication technology, I'm surprised I still have to use a password on every site I know


nareshbw’s picture

Nice work in security and authentication area...........