Login Settings


These settings allow you to customize how Multi-Factor Authentication (MFA) is applied across your Joomla site, giving you full control over when it's enforced and how much flexibility users have in configuring and managing their MFA preferences.

Joomla Multi-Factor Authentication | 2-Step Verification for Joomla

Enforce Multi-Factor Authentication (MFA)

Enabling this option makes MFA mandatory for all users during login. When this is active, users will not be able to bypass MFA, ensuring that every login is protected with an additional security layer.

  • Recommended for high-security environments such as admin panels, membership sites, or websites handling sensitive user data.
  • If this option is left unchecked, MFA will not be invoked, and users can log in with just their password.

Enable For: Frontend / Backend / Both

This setting lets you control where MFA is applied: for example, enabling it only on the Frontend Login for registered users, or the Backend Login for administrators, Super user or Manager.

  • Frontend Only – Secure public user accounts
  • Backend Only – Protect admin access without affecting user experience
  • Both – Maximum protection site-wide

This granular control ensures you can enforce MFA in the context that matters most for your site structure.

Disable MFA for New Users

This option allows newly registered users to log in without being forced to configure MFA. It’s useful for ensuring a smooth onboarding experience, especially when dealing with a non-technical audience.

  • Tip: You can later prompt these users to enable MFA via email campaigns or after-login redirects.
  • From a security perspective, it's advisable to have new users configure MFA immediately after account creation.

Allow Users to Skip MFA Setup

When this option is enabled, new users have the choice to skip MFA setup during registration or first login.

  • Useful for improving the sign-up experience, especially for users unfamiliar with MFA.
  • You can still encourage users to enable MFA later via reminders or a setup page after login.

While this option offers flexibility, it’s recommended to have users enable MFA as soon as possible to keep accounts secure.

Allow Users to Change Their MFA Method

Empower users to reconfigure their MFA method if they change phones, prefer another method, or need to reset their authenticator setup.

This functionality is available through the Joomla profile menu. You must create a Joomla menu item that links to the user profile editing view.

This feature ensures users are not locked into a method that no longer works for them, improving long-term usability.

Enable "Remember Device"

This option allows users to mark a device as trusted. On trusted devices, they won’t be prompted for MFA again for a defined period.

  • Reduces login friction on personal devices
  • Ideal for regular contributors or site admins using secure personal systems
  • Still protects against unknown devices or new browsers

This balances convenience and security, prioritizing user experience without compromising protection.

Allow Users to Set Up Backup MFA Methods

Let users configure backup authentication methods such as:

  • Security Questions
  • Backup Codes

If users lose access to their primary MFA method (e.g., lose their phone), these backup methods help them regain access without admin intervention.


Passwordless Login

The Passwordless Login feature allows users to log in without entering a password by using only a multi-factor authentication method, such as:

  • Time-Based OTP (from an Authenticator App)
  • OTP received via Email or SMS

This configuration removes the need for traditional passwords altogether, relying entirely on possession-based factors. It’s a modern authentication method that enhances security and eliminates risks like weak or reused passwords.

Note: Enabling Passwordless Login will override other advanced settings and apply site-wide across all user roles.


Select Specific Authentication Methods for Users

As an admin, you have the flexibility to choose which authentication methods are available for users. This ensures your security policy aligns with your user base and technical infrastructure.

Supported MFA methods include:

  • TOTP-Based Apps (e.g., Google Authenticator, Microsoft Authenticator)
  • OTP over SMS (One-Time Passcode sent to a registered mobile number)
  • OTP over Email (Secure code sent to the user's inbox)
  • Hardware Tokens (YubiKey, etc.)

Only the selected methods will be shown during the user's MFA enrollment process. You can:

  • Restrict methods to ensure consistency
  • Or allow users to choose based on their preferences

Example:
For enterprise users, you might restrict MFA to TOTP and Hardware Tokens for maximum security.