Multi-Factor Authentication
Multi-factor authentication adds an extra level of protection to the Control Panel by relying on one-time password generated by Multi-factor authentication applications like Google Authenticator, Microsoft Authenticator or Authy.
Enabling MFA
Enabling MFA per Member
With ExpressionEngine Pro installed, users with Control Panel access can enable/disable Multi-factor authentication via their profile in the Control Panel.
Requiring MFA For A Role
Multi-Factor Authentication can also be set as required for certain Member Roles
Members with a primary role where this option is enabled will be required to use MFA to log in via a front-end login form or when accessing the Control Panel (if allowed access).
If the member has not yet set up their multi-factor authentication, upon login they will be redirected to a page where they can scan QR code using their MFA app and then enter the provided one-time password (OTP) to complete the setup.
Setting Up MFA With Front-end Member Forms
Setting up Multi-Factor Authentication on the front-end is handled using a set of system dialogs. These dialogs can be triggered manually using the links provided by the {exp:member:mfa_links} tag.
The dialogs are presented using Multi-Factor Authentication Template from System Message Templates. You can also use a custom template from the system_messages template group, it should be named mfa_template.
Resetting MFA
In case when the device that was used to scan QR code for MFA is not available, it is possible to reset multi-factor authentication using the backup code that has been provided together with the QR code.
Disabling MFA
MFA can be disabled after the member has logged in and completed second-factor authentication. As additional protection measure, the password is being asked.