5 July 2021
While we like to think our clients have moved past ‘one password to rule them all’ and are a little more savvy with their online security, sometimes a system calls for a higher level of security. Adding two-factor authentication (2FA) to your login process is a simple way of adding an extra layer of security to your Umbraco Content Management System (CMS).
Umbraco prides itself on security and is regularly testing and improving its security framework. However, if your CMS or web application relies solely on a username and password (this is called single factor authentication), it is open to some level of risk as passwords can be stolen through phishing scams or a data breach of another business you have an account with.
2FA helps protect against this by adding another level of security to your CMS.
Out-of-the-box, Umbraco uses ASP.NET Identity to authenticate and authorise users, and this provides a pretty robust level of security.
However, for those clients seeking an additional layer of security, Umbraco supports external login providers to authenticate your users. We’ve enabled 2FA for Umbraco clients using a range of providers including Google & Facebook.
Canterbury Civil Defence wanted to ensure their Umbraco CMS was secure, while also having the flexibility to onboard new content administrators quickly during an emergency response. To achieve this we opted to use Time-based One-time Password Algorithm (TOTP) which is supported by both Microsoft and Google authentication.
When a user is added to the CMS, they are required to scan an on-screen QR code the first time they log on. For subsequent log-ins, they receive a unique code via their Google of Microsoft authentication app which they are prompted to enter once they’ve entered their username and password.
Other clients have dedicated authentication software that is used across their organisations' business systems, the website's CMS accounting for just one of these systems. We recently completed 2FA for Maritime NZ’s intranet using Okta, an authentication platform Maritime uses across their organisation.
Deciding which authenticator is best for your organisation will depend a lot on your organisation and who currently has access to the CMS or web application you're looking to protect. Regardless of which option you choose, users will need to provide two pieces of information to be able to access the CMS/application. The Cert NZ Guide has a great explanation of the different types of information that could be used.
If you’d like to beef up security on your CMS, get in touch, we’re happy to help you understand the benefits of 2FA and the options available.