Two-factor Authentication with the TFA module (tfa version 7.x-2.x)

Last updated on
25 March 2021

Drupal 7 will no longer be supported after January 5, 2025. Learn more and find resources for Drupal 7 sites

Requirement

PHP Mcrypt extension needs to be installed on the web server. Why installing Mcrypt? Because TFA module stores some sensitive data which it encrypts using the PHP Mcrypt library.

Installation and use

TFA module can be installed like other Drupal modules by placing the module directory in the Drupal file system (for example, under sites/all/modules) and enabling on the Drupal modules page. TFA module does not come with any plugins of its own so refer to the project page for contributed plugins or read the section on Plugin development.

Configuration

TFA can be configured on your Drupal site at Administration - Configuration - People - Two-factor Authentication. Available plugins will be listed along with their type and configured use, if set. You can allow roles to set this configuration by way of the 'Administer TFA' permission.

Default validation plugin

The plugin that will be used by default during user authentication. The plugin must be enabled for use by the authenticating account.

Fallback plugins

With multiple validation plugins installed, TFA can use them for fallback options for a user going through the TFA process. For example, a user has set up SMS code delivery and TOTP via Google Authenticator app on their mobile device. In the situation that this user has deleted the Authenticator app (or switched devices) they could still use SMS code delivery to authenticate to the site.

Screencast

Interaction

TFA interaction with other modules

  • HybridAuth Social Login
    This module works correctly with HybridAuth Social Plugin which allows you to utilise external account information from google, linkedin, yahoo etc to login and then apply TFA.
  • Secure Pages
    If you are using Secure Pages then you should be sure to add the url "system/*" to your pages that are secure in "admin/config/system/securepages". If you do not, you will receive a "403 Permission Denied" message when you try to login with TFA - after passing the first stage of authentication using your Drupal username & password.
  • TFA Rules
    If you want to set up conditional Rules logic around TFA, including redirecting users on login to the TFA setup page if they do not have TFA enabled, the TFA Rules module provides both a custom condition and a default rule to guide users to set up TFA.

Supported authenticators

  • Google Authenticator (Android, iPhone, BlackBerry)
  • Authy (Android, iPhone)
  • Microsoft Authenticator (Android, iPhone, Windows Phone)
  • FreeOTP+ (Android) (1)
  • FreeOTP (Android, iPhone) (1)
  • GAuth Authenticator (Firefox OS, desktop, others)
  • Authenticator (Android) (2)
  • Authenticator (iPhone) (2)

Legend

  • (1) The main difference between FreeOTP+ and FreeOTP is that with FreeOTP+ you are able to export and import your configuration. FreeOTP+ is a fork of FreeOTP. Both FreeOTP+ and FreeOTP are open source.
  • (2) Please note that the apps are different despite the names.

Help improve this page

Page status: No known problems

You can: