Second-factor authentication for Drupal sites. Drupal provides authentication via something you know -- a username and password while TFA module adds a second step of authentication with a check for something you have -- such as a code sent to (or generated by) your mobile phone.

TFA is a base module for providing two-factor authentication for your Drupal site. As a base module, TFA handles the work of integrating with Drupal, providing flexible and well tested interfaces to enable your choice of various two-factor authentication solutions like Time-based One Time Passwords (TOTP), SMS-delivered codes, pre-generated codes, or integrations with third-party services like Authy, Duo and others.

Read the TFA module documentation or read more about the theory of two-factor authentication in my Drupal Watchdog article.


  • Pluggable - Supports multiple methods of 2nd factor verification and can work with any number of 3rd party systems
  • Configurable - Supports fallback methods and context-specific exceptions
  • Flood control and even secures one-time logins
  • Tested - Over 100 tests

TFA module is recommended as a full suite solution to 2nd factor authentication and Drupal.

See the TFA basic plugins for a TOTP plugin that works with FreeOTP, Google Authenticator, Authy, and any other app that works with TOTP tokens.


This module stores some sensitive data which it encrypts using the php mcrypt library. You will need to have the mcrypt extension installed to use the module.

Supporting organizations: 
2.x development
ongoing development

Project information