Protect your social intranet better | Two-factor authentication in your Drupal system

Mar 31, 2016

Joris Snoek
Digital Consultant
+31 (0)20 - 261 14 99

Probably you have heard about this before: ‘Two-factor authentication’. When you are a frequent user of Facebook, Twitter or LinkedIn you have quite likely seen it before; for sure you have been asked to provide your telephone number.

At first I was reluctant because then ‘they’ know all about you. But in the course of the time social media accounts have become very important, you don’t want a stranger to be able to hack into your account and steal your identity on Facebook, Twitter or LinkedIn.

Hence, I have now entered my phone number on these three social media. If I want to change my password, I will need to confirm this now through a verification code that is sent to my telephone number. A person with malicious intent usually does not know your number, so chances of hacking your account – by guessing and then changing your password – will be minimized.

Two-factor authentication of for example Facebook

This kind of extra security is called ‘two-step authentication’ / ‘two-factor authentication’. To take the example of Facebook: when logging in, the standard verification exists out of a username and password, something you ‘know’. The second step is authentication with something you ‘have’, such as a Smartphone, a fingerprint scanner, or a bank card reader.

This should not only be used to change passwords, but can also be used as an additional security when logging in to your social intranet:

  1. Enter your username and password
  2. The social intranet sends a sms with a verification code to your phone
  3. Enter the verification code in the social intranet
  4. And you are logged in

Drupal social intranet?

Are you using a social intranet built on Drupal? Then there is a module available for this: Two-factor Authentication- TFA. This module facilitates the basis for two-factor authentication in Drupal:

  • Choose the solution, such as time-based one-time passwords.
  • Sms verification codes.
  • Pre-generated codes.
  • Integration with external services, such as Authy of Duo.

Other features of the module:

  • Pluggable: supports multiple ways of two-factor verification and can work simultaneously with multiple external services
  • Adjustable: supports fallback methods and context dependent exceptions
  • Supports ‘flood control’ for brute force attacks
  • Well tested module
  • Sensitive data for this authentication is stored encrypted using the PHP extension mcrypt.

For example: install two-factor authentication in Drupal social intranet OpenLucius

To start, install the following modules in OpenLucius:

  1. Two-factor Authentication (TFA): the basic module containing only an API
  2. TFA Basic plugins: basic TFA plugins containing the following components:
  • SMS: serving a verification sms via external service Twilio.
  • TOTP: a “Time-based one-time password plugin”, uses PHP_Gansta\GoogleAuthenticator PHP library.
  • Trusted device: a plugin ensuring that a logged in browser is characterized as ‘trusted’, so the next time it is not required to login via two-steps, but only one-step: entering your username and password.

1. Configure the two-factor authentication

In this example I am using TOTP, because it is for free. As mentioned previously you can also build in sms verification, but then you will have to purchase an external paid service.
Once you have installed the module go to /admin/config/people/tfa:

  1. Enable two-factor authentication
  2. I am selecting TOTP as the standard. A solution that does not require integration of external paid services.
  3. Set ‘recovery codes’ as fallback.
  4. Activate ‘Trusted Browsers’, after logging in once via a certain browser with two-factor authentication you can then log in through this browser via one-step: username and password.
  5. Users with these roles are required to activate two-factor authentication. I have activated all the roles.

2. Activate two-factor authentication for a user

Install Google Authenticator on your Smartphone

To use this TOTP you can use the free app from Google: Google Authenticator. Download and install it on your Smartphone.

3. Configure a new user:

  • Add a user.
  • Navigate to that user and click the tab ‘security’, then click ‘set up application’. The following screen appears:

  • Go to your Google Authenticator app and select ‘scan barcode’:

  • Scan the barcode with your Smartphone camera to receive a verification code, enter it.
  • At the next screen ‘recovery codes’ select for now ‘skip’.
  • You have now set your two-factor authentication:

4. Logging in with two-factor authentication

Once I log in with the recently set up account, an additional verification code will be requested that I can read from my Smartphone:

Enter it and that’s it! Now you have established two-factor verification:

  1. Enter something you ‘know’: username and password
  2. Enter something you ‘have’: a code from your Smartphone.

Resulting in an additional optimization in the security of your social intranet.

Related modules


Need even
more knowlegde?