Setting up Google Authenticator for Joomla

The recent threat of a laptop travel ban pushed me to bite the bullet and set up two factor authentication on all of the web sites that I manage. Since traveling with a laptop may be problematic in the near future, I may have to log in to various sites from public terminals in order to do various administrative tasks. This is just asking to have both the user ID and password compromised.  Fortunately Joomla has had two factor authentication built in for about two years. I tried to set it up once before, but had some problems and abandoned the effort. It turns out that there were two very simple problems that stopped me. I will not repeat the whole process as it is well documented on the Joomla website, but I will add two key steps that you should do first.

Preparing to Set up Two Factor Authentication for Joomla

Before you start the standard instructions, you should do three things:

• Make sure that your web server clock is synchronized with the standard NTP time that is used for cellphones.
• Make sure that your cell phone (or whatever device you are using for Google Authenticator) is synchronized with NTP time servers.
• If you have Akeeba Admin Tools installed, make sure that Components->Admin Tools->WAF->Configure WAF->Joomla Feature Hardening->Disable editing backend users' properties is set to “No.” This is only necessary when you are setting up two factor authentication for backend users. If you do not do this, you will get a 403 Access Forbidden error when you try to set up two factor authentication for backend users.

If the server time and device time are not synchronized, the six-digit code that Google Authenticator provides will never match what Joomla expects. On Android devices there is a button that will allow you to synchronize the time in the Google Authenticator app, but the iPhone app does not have this feature. You may want to put JavaScript on your website (as shown below) to show the two times to help you diagnose this type of problem.

Setting up Two Factor Authentication for Joomla

The Joomla website has a great article, Two Factor Authentication, that describes how to enable two factor authentication; I won't repeat the instructions here.

When you are finished with the set up for your backend users, remember to turn the Akeeba Admin Tools feature hardening back on.

Make sure to copy the ten one-time keys to a safe place in case your phone is lost or stolen.

Add JavaScript to Show Both Server and Browser Time

To help diagnose time synchronization problems, you can add the following JavaScript to a custom HTML module:

<!-- From http://www.webdeveloper.com/forum/showthread.php?228309-Getting-server-date-time-with-no-server-side-script -->

Server Time is 
<script language="javascript">
var xmlHttp;
function srvTime(){try{xmlHttp=new XMLHttpRequest();} 
catch(err1){try{xmlHttp=new ActiveXObject('Msxml2.XMLHTTP');} 
catch(err2){try{xmlHttp=new ActiveXObject('Microsoft.XMLHTTP');} 
catch(eerr3){alert("AJAX not supported");}}} 
xmlHttp.open('HEAD',window.location.href.toString(),false);
xmlHttp.setRequestHeader("Content-Type","text/html");
xmlHttp.send('');
return xmlHttp.getResponseHeader("Date");} 
var st=srvTime();
var date=new Date(st);
document.write(date);
</script>

Browser time is 
 <script language="javascript">var today=new Date();document.write(today);</script>

 When you or your users are having log-in problems, having an easy way to rule out server to device synchronization problems can simplify problem diagnosis tremendously.