TYPO3 introduced Multi-Factor Authentication (MFA) with TYPO3 version 11.1. This is a great step to prevent TYPO3 users from being hacked! This post shows how to activate SMS as a second authentication factor (2fa).
Wait! Why SMS?
As you probably already know, SMS is not a good solution for a two-factor authentication. SMS can be intercepted and read by hackers. Therefore, other MFA methods are preferable.
If possible you should use a hardware authentication device (eg. YubiKey) or an authentication app like “Microsoft Authenticator” or “Google Authenticator” on your smartphone and setup the “Time-based one-time password” in TYPO3.
But in general: It is better to have a weak second factor (SMS) than just one factor! So before you don’t use a second factor, you’d better use SMS as MFA.
Setup SMS as MFA
Install SMS MFA provider
You can install the TYPO3 extension via composer
composer require different-technology/mfa-sms
or via TYPO3 extension repository.
Configure your SMS provider
Before using the SMS MFA provider, you have to setup an SMS provider. Navigate to the extension configuration in the TYPO3 backend and enter the DSN of your SMS provider.
AWS SNS and all Symfony SMS channels are currently supported.
Symfony SMS channel
This extension provides all Symfony SMS channels as SMS providers. You can find them here: https://symfony.com/doc/current/notifier.html#sms-channel
The following providers are currently supported:
- AWS SNS (not provided by Symfony, see below)
Please make sure to install the corresponding package first, before using the SMS channel.
For example install the Twilio package:
composer require symfony/twilio-notifier
And configure the DSN:
This extension provides an extra adapter to use AWS SNS as SMS provider. Please setup your AWS account and your IAM user/role and use the following configuration:
Please make sure your access key and secret is URL encoded.
Use SMS as MFA
To use SMS as MFA open your TYPO3 backend and navigate to your MFA settings.
Enter your mobile number to the SMS MFA settings and try out your settings in an other browser.
Now let’s login to the TYPO3 backend again (in a different browser)
Feel free to provide some feedback on GitHub: