Support

Hi Kevin,

This cannot be implemented in Two Factor Authentication as it degrades security, nullifying the benefits of TFA. I can give you two alternatives:

1. Use YubiKey. It does work with phones / tables. I have been able to use it on Android phones and tables using an inexpensive USB OTG (USB On The Go) converter cable: it converts the mini-USB on the Android device to a female Type A USB plug where you can insert the YubiKey. Android recognises it as an external keyboard (magic!). Same goes with my iPhone and iPad. I bought Apple's USB camera connector, the one which comes with a female Type A USB plug, not the one with the card reader. Like Android, YubiKey is recognised as an external keyboard. Just ignore all prompts telling you your device is not recognised / won't work. It does work.

2. The YubiKey Authentication Plugins, which you can download from this site, come with a single factor authentication method. You can define a YubiKey per user account or a Master Key which unlocks any and all user accounts. You use it instead of a password and it circumvents Joomla! 3.2's Two Factor Authentication. It doesn't circumvent Admin Tools' Two Factor Auth, though.

So, basically, on Joomla! 2.5/3.0/3.1 all you can do is use the Single Factor YubiKey Authentication plugins. On Joomla! 3.2 you can use a YubiKey for single or two factor authentication (or both). Google Authenticator can't be made safely to work uniformly across sites as it would degrade its strength.

For starters, you'd have to transfer the code to each individual site. If an attacker managed to sniff out that code while entering it in one of your sites he'd get access to all of your sites.

Android does not store private data securely, unlike iOS devices. All data is stored unencrypted in the main storage. You can encrypt the SD card, but this is a static key. If malware is installed on your site it is very possible that it can read those secret codes. On iOS the main storage and the contents in memory are encrypted using your PIN code. Furthermore the stronger process isolation in iOS makes this kind of malware (on non-jailbroken devices) virtually impossible. Sorry, but from a security perspective iOS is better which is one of the main reasons I'm sticking with it.

Now, the most important degradation of security comes from an attack that's not so difficult to launch, especially on a public Internet connection. A man-in-the-middle attack could read your secret code when logging in to any of your sites, let's call it Site A. That code would be valid for 30 seconds on all of your sites. If the attacker already knows (or has cracked) the password on another of your sites, let's call it Site B, he will be able to use the stolen secret code from Site A to log in to Site B.

Finally, Google Authenticator is not impervious to MITM (man in the middle) attacks. If an attacker has real-time monitoring of your actions there is a 30 to 60 seconds window where he can impersonate you on a site you are logging in without you noticing. YubiKey is far more secure as there is no such attack window. A MITM attack impersonating you on your site would end up with the YubiKey secret code being instantly "burned", making you unable to log in to your site. That would be a huge red flag, prompting you to take your site off-line through other secure means (hosting panel, SFTP), therefore it's impractical to the attacker.

TL;DR: If you want peace of mind use YubiKey and HTTPS on all of your sites.