Version 4 supported
This version of Silverstripe CMS is still supported though will not receive any additional features. Go to documentation for the most recent stable version.

Multi-Factor Authentication (MFA)

What is Multi-factor authentication?

Multi-factor authentication (MFA), often referred to as Two-factor authentication (2FA), is an extra layer of security designed to be used alongside your traditional username/email and password login. By adding another verification step to the login process, you can prevent an unauthorised user from accessing your account, even if they know your username/email and password.

Unlike your username/email and password, which is something only you know, MFA verification asks you to provide something only you have - a physical device, like your phone or a USB device. Some services can also verify something you are - for example your fingerprint or face. For more information, see the CERT NZ guide.

Two popular verification methods are supported by the MFA feature of Silverstripe CMS:

Authenticator apps (TOTP)

An authenticator app is installed on your phone which generates temporary single-use passcodes needed for MFA verification. Each code is usable for only a short period of time before a new one is automatically generated.

Security keys (WebAuthn)

A security key is a physical device, such as a USB key, that is activated during MFA verification. This may involve plugging the device into your computer or bringing the key in range of a compatible device supporting wireless communications (NFC). To use a security key for MFA within Silverstripe CMS, you must log in using a supported browser over HTTPS (see Using security keys for details).

**Recovery codes**

Recovery codes are a backup verification method. In the event that you lose access to your other verification methods, a recovery code can be used to regain access to your account. A set of codes will be provided to you when you first set up an MFA verification method on your account. You can only use each of these codes once, and they should be stored somewhere safe.

User manual

Setting Up MFA
Running initial configuration of an MFA method for your account
Using authenticator apps
How to acquire and configure an Authenticator app for your phone
Using security keys
How to set up and use a security key
Regaining access when locked out
Steps to recover your account if your primary MFA method is unavailable
Managing your MFA settings
Steps for adding, removing and resetting MFA methods
Remember trusted devices
Steps to stay signed in on a trusted device

Administrator manual

Configuring MFA for your site
Switching between optional or required modes for MFA
Resetting accounts
How to reset a user's account if they lose access to it