Secure Your Site with Two-Factor Authentication
Set up two-factor authentication on your Pantheon Drupal or WordPress site as an added security measure.
This section provides information on how to use Two-factor authentication (TFA) to keep your sites secure.
TFA is a security practice that requires your website users to provide a secondary form of authentication in addition to their standard username and password.
The two most common methods of secondary authentication are:
SMS messaging
One-time code generated via an application on a user’s mobile phone
More advanced methods are also available, including:
Biometric information
Location through GPS
Hardware tokens
For more information, see Multi Factor Authentication in Drupal Watchdog and Two Step Authentication on WordPress.org.
Benefits of Two-Factor Authentication
Two-factor authentication is a helpful security practice because it prevents attackers from compromising accounts by requiring an extra authentication method beyond a username and password to log in. This is important because standard password access can be easy to bypass if the user:
Has a simple password that's easy to guess
Is observed typing in their password
Has used their password on another site that becomes compromised
By requiring a second form of authentication (especially one tied to a physical device like a mobile phone or a USB key), would-be attackers not only have to compromise a user’s password, but also their mobile phone or physical USB key, which makes the attack more difficult.
Single Site TFA
There are many different WordPress plugins for two-factor authentication that can provide TFA capabilities for a single site. A popular plugin is Duo Two-Factor Authentication, which makes it easy to set up two-factor authentication on your WordPress site.
Log in to the Duo Admin Panel and navigate to Applications.
Click Protect an Application and locate WordPress in the applications list.
Click Protect this Application to get your integration key, secret key, and API hostname.
Install and activate the Duo Two-Factor Authentication plugin on your WordPress site. You can do this through the WordPress admin panel, or with Terminus:
terminus remote:wp $SITENAME.dev -- plugin install duo-wordpress --activateOpen the settings page for the Duo plugin, then configure Duo with your integration key, secret key, and API hostname from the Duo WordPress application you created earlier at duo.com:
Click Save Changes. The page will be automatically redirected to the Duo setup wizard.
Follow the on-screen instructions to configure an authentication device to your site and test it. Your browser will be redirected back to the plugin settings page after the configuration is complete.
Duo configuration settings and keys are stored in the database. To avoid setting up new keys for each environment you can:
Synchronize and import your database
Use a tool like WP-CFM
Keep the new application page from the Duo Admin panel open, and reenter the values for each environment
There are a few different Drupal modules, including the Two-Factor Authentication module that provide the foundation necessary to use two-factor authentication on a single Drupal site.
In addition to the foundation module, you also will need to use a specific TFA module plugin to implement your preferred TFA method. Several of the common TFA methods such as SMS or Time-Based One Time Password are available in the TFA Basic plugins module. There are also developer instructions to write your own TFA plugin.
Install and enable the Two-factor Authentication (TFA) module and the TFA Basic plugins module on your Drupal site.
Download and set up a Time-based One-time Password Algorithm (TOTP) app such as Authy for either iOS, Android, or desktop use.
Configure the TFA module
admin/config/people/tfato Enable TFA:Set TOTP as the default validation plugin.
Add Recovery Codes as a fallback plugin.
Allow Trusted Browsers for your domain.
Go to the Security settings on each user profile you want to use TFA, then click Enable TFA.
Enter your current password > view the TFA Setup - Application page.
Use the app on your mobile phone to scan the QR code to install a new TFA account on your mobile phone.
Enter the six-digit TFA code on your mobile app for your specific site to complete the setup. You will then be prompted to confirm a trusted browser (which is optional and will skip TFA on that browser in the future), and to write down TFA recovery codes (best practice).
Log in to your Drupal site by using the TOTP mobile app to generate a six digit code.
Organization TFA
There are many different organization-wide WordPress plugins for single sign on that can provide TFA capabilities. One of the service options we use internally at Pantheon is OneLogin, which has the OneLogin SAML SSO plugin.
OneLogin Instructions
Sign up and create a OneLogin account for your organization.
Install the WordPress SAML 2.0 app connector as part of the OneLogin dashboard (you need administrator privileges to install apps). This must be done for each WordPress site that is being managed by OneLogin.
Edit the OneLogin WordPress app connector to provide the appropriate default values for the Configuration section. Other sections should already be set up correctly.
(Optional) Configure the Authentication Factors found under Settings for a list of authentication factors you can enable for your different users.
Create user accounts in the Users Administration area of OneLogin.
Click New User and verify that the “Username” and "Email" fields in OneLogin match their WordPress username and email.
WordPress Instructions
Install and activate the OneLogin SAML SSO plugin on your WordPress site.
Configure the Identity Provider Settings section in the SSO/SAML Settings within the WordPress Admin to provide the appropriate values, which are available in the SSO section of the OneLogin Configuration page.
Configure the Options section (optional) under the SSO/SAML Settings:
Select the Create user if not exists checkbox if you want users to be auto-created.
Select the Keep Local login checkout if you still want to use the normal WP login form, otherwise you will always be using OneLogin to authenticate.
Populate the Attribute Mapping fields below in the SSO/SAML Settings of the WordPress Admin. Values are case-sensitive.
- Username
- First Name
- Last Name
- Role
Configure the Customize Actions and Links in the SSO/SAML Settings of the WordPress Admin to Prevent use of ?normal. This requires OneLogin as the authentication solution.
Use the OneLogin dashboard to log in to your WordPress site.
Info:NoteYou can also refer to OneLogin's documentation, Configure SAML for WordPress, for further troubleshooting. You will need a OneLogin admin account to access their knowledge base.
There are many different organization-wide Drupal modules for single sign-on that can also provide TFA capabilities. One of the service options we use internally at Pantheon is OneLogin, which has the OneLogin module.
OneLogin Instructions
Sign up and create a OneLogin account for your organization.
Install the Drupal SAML 2.0 app connector as part of the OneLogin dashboard. This will need to be done for each Drupal site that is being managed by OneLogin.
Edit the OneLogin Drupal app connector to provide the appropriate default values for the Configuration section. Other sections should already be set up correctly.
(Optional) Configure the Authentication Factors found under Settings for a list of authentication factors you can enable for your different users.
Create user accounts in the Users Administration area in OneLogin.
Click New User and verify that the “Username” and "Email" fields in OneLogin match their Drupal username and email.
Drupal Instructions
Install and enable the GitHub version of the OneLogin SAML module on your Drupal site. This module is eventually intended to live on Drupal.org as the 2.x branch of the OneLogin project.
Set the
$_SERVER['SERVER_PORT']value insettings.phpaccording to these instructions. This change is necessary to have SAML use the appropriate ports.Populate the OneLogin SAML module
admin/config/onelogin_samlfields below.Values are case-sensitive.- IdP Entity Id
- Single Sign-on Service URL
- Single Log Out Service URL
- X.509 Certificate
- Username
- Role
Use the OneLogin dashboard to log in to your Drupal site.
Pantheon Platform TFA
Log in with Google
The Pantheon Dashboard offers social login with Google, which can be configured to use Google TFA:
We recommend adding an SSH Key to authenticate yourself on Pantheon for operations such as SFTP connections, which allows for more security than a simple password. If you've registered via social login (Connect with Google) and you'd still like to add a password to your account, logout and visit https://dashboard.pantheon.io/reset-password.
Single Sign-on for Orgs
Single sign-on (SSO) allows users to authenticate against your Identity Provider (IdP) when logging into the Pantheon Dashboard. For more information, see Single Sign-on for Pantheon Organizations.