ExpressionEngine Docs

Multi-Factor Authentication

Check out our video tutorial on setting up Multi-Factor Authentication!

Multi-factor authentication adds an extra level of protection to the Control Panel by relying on one-time password generated by Multi-factor authentication applications like Google Authenticator, Microsoft Authenticator or Authy.

Enabling MFA

Enabling MFA per Member

Users with Control Panel access can enable/disable Multi-factor authentication via their profile in the Control Panel.

MFA CP Setup

Requiring MFA For A Role

Multi-Factor Authentication can also be set as required for certain Member Roles

MFA CP Toggle

Members with a primary role where this option is enabled will be required to use MFA to log in via a front-end login form or when accessing the Control Panel (if allowed access).

If the member has not yet set up their multi-factor authentication, upon login they will be redirected to a page where they can scan QR code using their MFA app and then enter the provided one-time password (OTP) to complete the setup.

Setting Up MFA With Front-end Member Forms

Setting up Multi-Factor Authentication on the front-end is handled using a set of system dialogs. These dialogs can be triggered manually using the links provided by the {exp:member:mfa_links} tag.

The dialogs are presented using Multi-Factor Authentication Template from System Message Templates. You can also use a custom template from the system_messages template group, it should be named mfa_template.

Resetting MFA

In case when the device that was used to scan QR code for MFA is not available, it is possible to reset multi-factor authentication using the backup code that has been provided together with the QR code.

Disabling MFA

MFA can be disabled after the member has logged in and completed second-factor authentication. As additional protection measure, the password is being asked.

Multi-Factor Authentication Links

{exp:member:mfa_links}

This tag is providing links to help people manage their MFA settings.

{exp:member:mfa_links}
  {if mfa_enabled}
    <a href="{disable_mfa_link}">Disable MFA</a>
  {if:else}
    <a href="{enable_mfa_link}">Enable MFA</a>
  {/if}
{/exp:member:mfa_links}

Parameters

return=
return="member"

URL to return to. Defaults to current page.

Variables

{enable_mfa_link}

Invoke dialog to set up multi-factor authentication, if it’s not enabled for member..

{disable_mfa_link}

Invoke dialog to disable multi-factor authentication. Only available is member is logged in and authenticated with MFA.