Two-factor Authentication (TFA)

Two-factor authentication for Drupal sites. Drupal provides authentication via something you know -- a username and password while TFA module adds a second step of authentication with a check for something you have -- such as a code sent to (or generated by) your mobile phone.

TFA is a base module for providing two-factor authentication for your Drupal site. As a base module, TFA handles the work of integrating with Drupal, providing flexible and well tested interfaces to enable your choice of various two-factor authentication solutions like Time-based One-Time Passwords (TOTP), SMS-delivered codes, pre-generated codes, or integrations with third-party services like Authy, Duo and others.

Read the TFA module documentation or read more about the theory of two-factor authentication in my Drupal Watchdog article.

This module is useful for achieving compliance with PCI DSS requirement 8.3.1:

Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.

Features

• Pluggable - Supports multiple methods of two-factor authentication and can work with any number of 3rd party systems
• Configurable - Supports fallback methods and context-specific exceptions
• Flood control protection for secures one-time logins
• Role-based availability and requirement of second factor authentication

TFA module is recommended as a full suite solution for two-factor authentication and Drupal. The following TOTP plugins work with FreeOTP, Google Authenticator, Authy, and any other app that works with TOTP tokens.

Drupal 8 recommended TOTP plugin

The module supports plugins from other modules, but provides its own plugins for:

• TOTP - Time-based One-Time Passwords - normally used by various Authenticator apps from Google, Microsoft, Authy, etc.
• HOTP - HMAC-based One-Time Passwords - supported by most of the same apps, but not as popular

Requirements

This module stores some sensitive data which it encrypts using the PHP OpenSSL extension. You will need to have the OpenSSL extension installed to use the module. Legacy installs of the module can take advantage of the Mcrypt extension.

Release Series

Drupal 7

All release series for Drupal 7 are fully unsupported. There will be no future releases, sites should upgrade to Drupal 8 as soon as possible.

Upgrading to a Drupal 8 Release:
Site owners may wish to consider the TFA Migration module.

8.x-1.x

Compatible with Drupal 8.8.0+. Known limitations that 3rd party contrib modules may bypass protection. See Contrib modules can lead to TFA being bypassed

2.x

Not for install production or per-production sites. Install only in development labs to assist in developing the next major release of TFA. Subject to significant design changes without BC.

Warning: Releases of 2.0.0-* have known security vulnerabilities and should not be installed on production sites. See the Roadmap for 2.0.0 release for current status of security vulnerabilities and other important issues.

TFA, Testing, and Development

It can be hard to test user authentication in automated tests with the TFA
module enabled. Development environments also will likely struggle to login
unless they disable TFA or reset the secrets for an account. One solution is
to disable the module in the development and testing environment. To quickly
disable the module you can run these drush commands to set some config:

• Disable TFA with drush config-set tfa.settings enabled 0
• Enable TFA with drush config-set tfa.settings enabled 1