Secure Your Site with Two-Factor Authentication
Set up two-factor authentication on your Pantheon Drupal or WordPress site as an added security measure.
Contributors: Matt Cheney
Two-factor authentication (TFA) is a security practice that requires users of your website to provide, along with their standard username and password, an additional form of authentication to log in. The two most common methods involve authentication through an SMS message, or a one-time code generated via an application on a user’s mobile phone. More advanced methods such as using a biometric information, location through GPS, or a hardware token are also possible. For more information, see Multi Factor Authentication in Drupal Watchdog and Two Step Authentication on WordPress.org.
Benefits of Two-Factor Authentication
Two-factor authentication is a helpful security practice because it prevents attackers from compromising accounts by requiring an extra authentication method beyond only using a password to log in. This is important because standard password access can be easy to bypass if the user has a simple password that's easy to guess, is observed typing in their password, or has used their password on another site that becomes compromised. By requiring a second form of authentication (especially one tied to a physical device like a mobile phone or a USB key), would-be attackers not only have to compromise a user’s password, but also their mobile phone or physical USB key, which makes the attack much more difficult.
Single Site TFA
For a single site, there are many different WordPress plugins for two-factor authentication that can provide TFA capabilities to your site. A popular plugin is Duo Two-Factor Authentication, which makes it easy to set up two-factor authentication on your WordPress site.
- Sign up for a Duo account.
- Log in to the Duo Admin Panel and navigate to Applications.
- Click Protect an Application and locate WordPress in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname.
Install and activate the Duo Two-Factor Authentication plugin on your WordPress site. You can do this through the WordPress admin panel, or with Terminus:
terminus remote:wp $SITENAME.dev -- plugin install duo-wordpress --activate
Open the settings page for the Duo plugin. Configure Duo with your integration key, secret key, and API hostname from the Duo WordPress application you created earlier at duo.com: Click Save Changes.
- The page will be automatically redirected to the Duo setup wizard. Follow the on-screen instructions to configure an authentication device to your site and test it. Once complete, your browser will be redirected back to the plugin settings page.
Duo configuration settings and keys are stored in the database. To avoid setting up new keys for each environment you can:
- synchronize and import your database
- use a tool like WP-CFM
- keep the new application page from the Duo Admin panel open, and reenter the values for each environment.
For a single site, there are a few different Drupal modules including the Two-Factor Authentication module that provide the foundation necessary to use two-factor authentication on a Drupal site. In addition to the foundation module, you also will need to use a specific TFA module plugin to implement your preferred TFA method. Several of the common TFA methods such as SMS or Time-Based One Time Password are available in the TFA Basic plugins module. There are also developer instructions to write your own TFA plugin.
- Install and enable the Two-factor Authentication (TFA) module and the TFA Basic plugins module on your Drupal site.
- Download and set up a Time-based One-time Password Algorithm (TOTP) app such as Authy for either iOS or Android.
- Configure the TFA module
admin/config/people/tfato Enable TFA; set TOTP as the default validation plugin; add Recovery Codes as a fallback plugin; and allow Trusted Browsers for your domain.
- Go to the Security settings on each user profile you want to use TFA, and click Enable TFA.
- Enter your current password, and view the TFA Setup - Application page.
- Use the app on your mobile phone to scan the QR code to install a new TFA account on your mobile phone.
- Enter the six digit TFA code on your mobile app for your specific site to complete the setup. You will then be prompted to confirm a trusted browser (which is optional and will skip TFA on that browser in the future), and to write down TFA recovery codes (best practice).
- Log in to your Drupal site by using the TOTP mobile app to generate a six digit code.
For an organization-wide solution, there are many different WordPress plugins for single sign on that can provide TFA capabilities. One of the service options we use internally at Pantheon is OneLogin, which has the OneLogin SAML SSO plugin.
Sign up and create a OneLogin account for your organization.
Install the WordPress SAML 2.0 app connector as part of the OneLogin dashboard (You need administrator priviledges to install apps). This needs to be done for each WordPress site that is being managed by OneLogin.
Edit the OneLogin WordPress app connector to provide the appropriate default values for the Configuration section. Other sections should already be set up correctly.
(Optional) Configure the Authentication Factors found under Settings for a list of authentication factors you can enable for your different users.
Create user accounts in the Users Administration area of OneLogin, and click New User. Make sure that the “Username” and "Email" fields in OneLogin match their WordPress username and email.
Install and activate the OneLogin SAML SSO plugin on your WordPress site.
Configure the Identity Provider Settings section in the SSO/SAML Settings within the WordPress Admin to provide the appropriate values, which are available in the SSO section of the OneLogin Configuration page.
Configure the Options section(optional) under the SSO/SAML Settings:
- Check Create user if not exists if you want users to be auto-created
- Check Keep Local login if you still want to use the normal WP login form, otherwise you will always be using OneLogin to authenticate.
Configure the Attribute Mapping in the SSO/SAML Settings of the WordPress Admin with the values shown below. Values are case-sensitive.
Configure the Customize Actions and Links in the SSO/SAML Settings of the WordPress Admin to Prevent use of ?normal. This requires OneLogin as the authentication solution.
Now use the OneLogin dashboard to log in to your WordPress site!
You can also refer to OneLogin's documentation, Configure SAML for WordPress, for further troubleshooting. You will need a OneLogin admin account to access their knowledge base.
For an organization-wide solution, there are many different Drupal modules for single sign on that can also provide TFA capabilities. One of the service options we use internally at Pantheon is OneLogin, which has the OneLogin module.
- Sign up and create a OneLogin account for your organization.
- Install the Drupal SAML 2.0 app connector as part of the OneLogin dashboard. This will need to be done for each Drupal site that is being managed by OneLogin.
- Edit the OneLogin Drupal app connector to provide the appropriate default values for the Configuration section. Other sections should already be set up correctly.
- (Optional) Configure the Authentication Factors found under Settings for a list of authentication factors you can enable for your different users.
- Create user accounts in the Users Administration area in OneLogin, and click New User. Make sure that the “Username” and "Email" fields in OneLogin match their Drupal username and email.
- Install and enable the GitHub version of the OneLogin SAML module on your Drupal site. This module is eventually intended to live on Drupal.org as the 2.x branch of the OneLogin project.
- Set the
settings.phpaccording to these instructions. This change is necessary to have SAML use the appropriate ports.
- Configure the OneLogin SAML module
admin/config/onelogin_samlwith what is shown in the screenshot; values are case-sensitive.
- Now use the OneLogin dashboard to log in to your Drupal site!
Pantheon Platform TFA
Log in with Google
The Pantheon Dashboard offers social login with Google, which can be configured to use Google TFA:
We recommend adding an SSH Key to authenticate yourself on Pantheon for operations such as SFTP connections, which allows more security than a simple password. If you've registered via social login (Connect with Google) and you'd still like to add a password to your account, logout and visit https://dashboard.pantheon.io/reset-password
Single Sign-On for Orgs
Single sign-on (SSO) allows users to authenticate against your Identity Provider (IdP) when logging into the Pantheon Dashboard. For more information, see Single Sign-On for Pantheon Organizations.