SMS Two-Factor Authentication for TYPO3

TYPO3 introduced Multi-Factor Authentication (MFA) with TYPO3 version 11.1. This is a great step to prevent TYPO3 users from being hacked! This post shows how to activate SMS as a second authentication factor (2fa).

Wait! Why SMS?

As you probably already know, SMS is not a good solution for a two-factor authentication. SMS can be intercepted and read by hackers. Therefore, other MFA methods are preferable.

If possible you should use a hardware authentication device (eg. YubiKey) or an authentication app like “Microsoft Authenticator” or “Google Authenticator” on your smartphone and setup the “Time-based one-time password” in TYPO3.

But…

But in general: It is better to have a weak second factor (SMS) than just one factor! So before you don’t use a second factor, you’d better use SMS as MFA.

Setup SMS as MFA

Install SMS MFA provider

You can install the TYPO3 extension via composer

composer require different-technology/mfa-sms

or via TYPO3 extension repository.

Configure your SMS provider

Before using the SMS MFA provider, you have to setup an SMS provider. Navigate to the extension configuration in the TYPO3 backend and enter the DSN of your SMS provider.
AWS SNS and all Symfony SMS channels are currently supported.

Symfony SMS channel

This extension provides all Symfony SMS channels as SMS providers. You can find them here: https://symfony.com/doc/current/notifier.html#sms-channel

The following providers are currently supported:

  • AWS SNS (not provided by Symfony, see below)
  • Esendex
  • FreeMobile
  • Infobip
  • Mobyt
  • Nexmo
  • OvhCloud
  • Sendinblue
  • Sinch
  • Smsapi
  • Twilio

Please make sure to install the corresponding package first, before using the SMS channel.

For example install the Twilio package:

composer require symfony/twilio-notifier

And configure the DSN:

twilio://SID:TOKEN@default?from=FROM

AWS SNS

This extension provides an extra adapter to use AWS SNS as SMS provider. Please setup your AWS account and your IAM user/role and use the following configuration:

sns+https://MY_ACCESS_KEY:MY_URL_ENCODED_SECRET@default?region=eu-west-1

Please make sure your access key and secret is URL encoded.

Use SMS as MFA

To use SMS as MFA open your TYPO3 backend and navigate to your MFA settings.

Open your MFA settings
Select “SMS Authentication Code”

Enter your mobile number to the SMS MFA settings and try out your settings in an other browser.

Enter your mobile number

Now let’s login to the TYPO3 backend again (in a different browser)

Login to your TYPO3 backend
Enter the code you received via SMS
Received SMS on your mobile phone

That’s it!

Feel free to provide some feedback on GitHub:
https://github.com/different-technology/mfa_sms

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.