Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By mlhess on
Drupal.org users* can now use Two factor authentication to increase the security of their accounts. It can be enabled via Security tab of your user profile page. Read the detailed instructions at Enabling TFA on Drupal.org.
This was made available to Drupal.org admins in May. It is now required for users who have advanced access on Drupal.org. However, every user can benefit from the security that two factor authentication offers.
If you want to make two factor authentication available on your own Drupal site, you can install the TFA module.
* Two factor authentication is available for all users with the 'confirmed user' role. If you don't see 'Security' tab on your profile page, you might be missing the role. Just keep posting content on Drupal.org and it will be granted soon. You can also apply to get the role.
Comments
Security Team support
The TFA module has no stable release yet, so it does not get Drupal Security Team support. Is that right? Or are modules used on drupal.org treated differently?
(Edit: hmm, I see there is an older 7.x-1.0, but that version is no longer supported by the module maintainers.)
In progress?
The v2 is receiving constant improvements by coltrane and, to a lesser degree, greggles, with beta2 released in May. I suspect it shouldn't take too long for the final 2.0 to be released.
--
Damien McKenna | Mediacurrent
TFA bug bounty
We also ran TFA through a security bug bounty program to test for vulnerabilities in the code. You can read about it at https://groups.drupal.org/node/439868 but the brief is, no one bypassed TFA!
Hi Gaele,
Hi Gaele,
There are issues tracking the release status where the remaining issues to be fixed prior to a stable are listed. Perhaps you can help move them forward?
#2241821: Plan for TFA 7.x-2.2 release
#2243871: [meta] Tracking next release
It is always acceptable to report a security issue in a contrib (regarldess of status) to the security team site. However when an issue comes in we will triage it and will not do a security advisory if it doesn't have a stable release. For modules used on drupal.org, we encourage people to report the security issues privately even if the module is not in a stable status. There are many modules that are not stable that are used on drupal.org (and especially on *.drupal.org). It would be great if they were all in a stable state, but...it all takes time :)
--
Morris Animal Foundation
Loooong beta
When the stable release will be released ? Do you have this information ?
Two Factor Authentication is a must nowadays
With all the automatic robots spam on Drupal systems I must say it is a blessing!
Thanks for implementing that.
Drupal Taking Security to another level
Now we are talking!! I've been waiting a long time to see this tool been implemented and hoping to use it for all past and future Drupal sites. Thanks guys for doing this. Drupal Rocks! and so are you.
Like this approach
I like Drupal's eating its own dog food approach and adding these features to Drupal.org, we recently integrated this module on one of our client sites as well. My question is how can we get involved with the development effort for Drupal.org site itself. Thanks.
I too
I also I added this module on a mine site.
Nice to see there is some
Nice to see there is some progress in authentication technology, I'm surprised I still have to use a password on every site I know
-------------------------------
http://www.sooperthemes.com/#-Drupal-Themes
Congratulations
Thank you very much for implementing this new feature that we've been waiting a long time.
Carlos Flavio Barreto Ferreira de Souza
Flexdoc Tecnologia da Informação Ltda
Nice work in security and
Nice work in security and authentication area...........