The ticket title and the ticket text ask two different questions which have two diametrically opposite answers. So, let me explain.
Is it possible to only enable LoginGuard for the backend login page? No, you can't and you shouldn't. Joomla! uses the same login information to let users log into both the frontend (pubic site) and the backend (administrator area) of the site. Moreover, newer versions of Joomla! allow for a unified login where logging into the frontend will also log you into the backend and vice versa. By protecting only the backend login you are creating a massive security hole. The attacker could brute force your password (or use a stolen password) in the frontend and perform administrative functions or even log into the backend of the site.
Is it possible to only enable LoginGuard for users with backend access? Yes, absolutely, it's a feature that has existing in Joomla! since 2010, when Joomla! 1.6 Alpha 2 was released. Every Joomla! plugin allows you to set an Access Level. If you set LoginGuard's system and user plugins to Special access then only users with backend access will have Two Step Verification applied to their login.
The reason that works with LoginGuard but not with Joomla's Two Factor Authentication plugins is that LoginGuard is NOT Two Factor Authentication (2FA), it's Two Step Verification (2SV). The important bit is that 2FA must be provided with the login information, i.e. before the user is logged in. Therefore Joomla! has to ask it from everybody. On the other hand, 2SV operates with what is called a "captive login". The user logs in but then cannot proceed until they provide their 2SV. This means that at the point where we have to evaluate whether to ask the user for 2SV they are logged in and we know who they are and what kind of access they have.
And now, the question nobody asks. Should I only enable 2SV for specific user groups? No, you shouldn't do that on most sites. 2FA and 2SV are NOT site security features, they are user account security feature. It does not protect your site, it protects your users. If your users store personally identifiable information on your site when they are logged in, information not visible to the general public, it might even be legally advisable to enable 2SV for everybody to fulfill the EU's GDPR requirement for "appropriate technical measures" to protect your users' personal information.
So, in short, yeah, you can do what you have in mind but I wouldn't recommend it.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
