ExpressionEngine Docs

Multi-Factor Authentication

Multi-factor authentication adds an extra level of protection to the Control Panel by relying on one-time password generated by Multi-factor authentication applications like Google Authenticator, Microsoft Authenticator or Authy.

Enabling MFA

Enabling MFA per Member

With ExpressionEngine Pro installed, users with Control Panel access can enable/disable Multi-factor authentication via their profile in the Control Panel.

MFA CP Setup

Requiring MFA For A Role

Multi-Factor Authentication can also be set as required for certain Member Roles

MFA CP Toggle

Members with a primary role where this option is enabled will be required to use MFA to log in via a front-end login form or when accessing the Control Panel (if allowed access).

If the member has not yet set up their multi-factor authentication, upon login they will be redirected to a page where they can scan QR code using their MFA app and then enter the provided one-time password (OTP) to complete the setup.

Setting Up MFA With Front-end Member Forms

Setting up Multi-Factor Authentication on the front-end is handled using a set of system dialogs. These dialogs can be triggered manually using the links provided by the {exp:member:mfa_links} tag.

The dialogs are presented using Multi-Factor Authentication Template from System Message Templates. You can also use a custom template from the system_messages template group, it should be named mfa_template.

Resetting MFA

In case when the device that was used to scan QR code for MFA is not available, it is possible to reset multi-factor authentication using the backup code that has been provided together with the QR code.

Disabling MFA

MFA can be disabled after the member has logged in and completed second-factor authentication. As additional protection measure, the password is being asked.