Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Two-factor authentication for Drupal sites. Drupal provides authentication via something you know -- a username and password while TFA module adds a second step of authentication with a check for something you have -- such as a code sent to (or generated by) your mobile phone.
TFA is a base module for providing two-factor authentication for your Drupal site. As a base module, TFA handles the work of integrating with Drupal, providing flexible and well tested interfaces to enable your choice of various two-factor authentication solutions like Time-based One-Time Passwords (TOTP), SMS-delivered codes, pre-generated codes, or integrations with third-party services like Authy, Duo and others.
Read the TFA module documentation or read more about the theory of two-factor authentication in my Drupal Watchdog article.
This module is useful for achieving compliance with PCI DSS requirement 8.3.1:
Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.
Features
- Pluggable - Supports multiple methods of two-factor authentication and can work with any number of 3rd party systems
- Configurable - Supports fallback methods and context-specific exceptions
- Flood control and even secures one-time logins
- (Drupal 8+ only) REST services integration via services_tfa sub-module
- Role-based availability and requirement of second factor authentication
TFA module is recommended as a full suite solution for two-factor authentication and Drupal. The following TOTP plugins work with FreeOTP, Google Authenticator, Authy, and any other app that works with TOTP tokens.
Drupal 8 recommended TOTP plugin
The module supports plugins from other modules, but provides its own plugins for:
- TOTP - Time-based One-Time Passwords - normally used by various Authenticator apps from Google, Microsoft, Authy, etc.
- HOTP - HMAC-based One-Time Passwords - supported by most of the same apps, but not as popular
Drupal 7 recommended TOTP plugin
See the 7.x-1.x versions of the TFA basic plugins.
Requirements
This module stores some sensitive data which it encrypts using the PHP OpenSSL extension. You will need to have the OpenSSL extension installed to use the module. Legacy installs of the module can take advantage of the Mcrypt extension.
TFA, Testing, and Development
It can be hard to test user authentication in automated tests with the TFA
module enabled. Development environments also will likely struggle to login
unless they disable TFA or reset the secrets for an account. One solution is
to disable the module in the development and testing environment. To quickly
disable the module you can run these drush commands to set some config:
- Disable TFA with
drush config-set tfa.settings enabled 0 - Enable TFA with
drush config-set tfa.settings enabled 1
Supporting organizations:
Project information
- Module categories: Access Control, Security
9,761 sites report using this module- Created by coltrane on , updated
Stable releases for this project are covered by the security advisory policy.
Look for the shield icon below.
Releases
2.0.0-alpha2
released 30 November 2022
Works with Drupal: ^9.1 || ^10
Insecure, vulnerable to SA-CONTRIB-2023-030
Install:
Development version: 2.x-dev updated 12 Apr 2024 at 04:34 UTC
8.x-1.7
released 18 April 2024
released 18 April 2024
Works with Drupal: ^8 || ^9 || ^10
✓ Recommended by the project’s maintainer.
Install:
Development version: 8.x-1.x-dev updated 12 Apr 2024 at 05:00 UTC
7.x-2.3
released 26 November 2022
released 26 November 2022
Works with Drupal: 7.x
Development version: 7.x-2.x-dev updated 28 Mar 2024 at 22:26 UTC
