Adding two-factor authentication to Drupal 8 using Google Authenticator

The instructions are based on Drupal 8.2.6. Parts, such as upgrade random_compat, might not be applicable in later versions. I can’t make any guarantees about running these in earlier versions.

Install Christian Riesen’s OTP (One Time Password)

From the drupal site root run:

composer require christian-riesen/otp

Upgrade random compat

Drupal 8.2 installs random_compat 1.x but we need 2.x. A patch was applied in 8.2.6 but for some reason we need to force the upgrade.

composer require paragonie/random_compat:~2.0

Install the PHP Encryption

From the drupal site root run:

composer require defuse/php-encryption

Install Two-Factor module

drush dl tfa
drush en tfa --yes

If the second command freaks out try running it with sudo

Install Real AES module

drush dl real_aes
drush en real_aes --yes

Install Google Authenticator login module

drush dl ga_login
drush en ga_login --yes

Create a key

From your browser go to the following Drupal admin URL and click the add button:

/admin/config/system/keys

(If your site is example.com then go to example.com/admin/config/system/keys)

  1. Give the key a memorable name
  2. Set the key type to Encryption
  3. Set the key size to 256
  4. Run the following Linux command to generate a Base64 encoded random string:
    openssl rand -base64 32
  5. Use the value from the previous command for the key’s value.
  6. Check the Base64-encoded checkbox
  7. Press the save button

Create an Encryption Profile

From your browser go to the following Drupal admin URL and click the add button:

/admin/config/system/encryption/profiles
  1. Give the profile a memorable name
  2. Select Authenticated AES (Real AES) from the Encryption Method dropdown
  3. Select your key made in the section above for the Encryption Key
  4. Press Save

Enable TFA site-wide

From your browser go to the following Drupal admin URL and click the add button:

/admin/config/people/tfa
  1. Click the Enable TFA checkbox
  2. Select the Time-based method for validation
  3. Change the OTP QR Code Prefix to be something unique for your site (Very Important!!)
  4. Select the encryption profile that you created in the previous section
  5. This plugin is all-or-nothing, so all users must use TFA. However, if some users don’t want to use this you can set the value for Skip Validation to a high number such as 999999
  6. Optionally enable the TFA Trusted Browser setting if you understand the security risks
  7. Click the Save button

Configure your own profile for TFA

Edit your profile, click on Security and then on Set up application under TFA application. Follow the remaining steps which are just normal Google Authenticator setup.