Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
This project is not covered by Drupal’s security advisory policy.
U2F (Universal 2nd-Factor) plugin for TFA (Two-Factor Authentication module) for use with Yubikeys and other U2F devices.
This module allows administrators to enable their users to register U2F devices with their Drupal accounts. After doing so, the user will then be required to verify the registered device before logging in.
Requirements:
- SSL (https) enabled hosting. The U2F api does not work without SSL.
- Two-Factor Authentication
- yubico/u2flib-server library
Installation:
Since this module requires an additional library, it is recommended you install it using Composer. If you do not have a composer-based Drupal installation, you will need to acquire the yubico/u2flib-server library by some other means.
Configuration:
Configure TFA to use this plugin at Configuration » People » Two-Factor Authentication:
- Validation Plugin: TFA Universal 2nd Factor
- (optional) Validation Fallback Plugins: TFA Recovery Code
- Extra Settings:
- Application ID: Your website base URL. Ex:
https://example.org - Challenge Text: Any arbitrary text that will be encoded and used during device registration and verification. This cannot be changed once set.
- Timeout: Amount of time a user has to insert and verify their device.
- Application ID: Your website base URL. Ex:
Configure your Drupal account to use a U2F device at user/{uid}/security/tfa
- Click "Setup new device"
- Provide your account password
- Insert your device and touch the button on it.
- Provide a name for this new device, and submit the form.
Project information
- Project categories: Security
- Created by daggerhart on , updated
This project is not covered by the security advisory policy.
Use at your own risk! It may have publicly disclosed vulnerabilities.
