Joomla 4! Web Authentication (WebAuthn) support: Make Joomla login, faster, more secure and easy
Joomla 4, an ultimate version that has been expected by the Joomla community for quite a while now, has introduced numbers of exciting new features. Now, these features can be very visible to the eye such as new ways to build, different functions, etc. And one of the aspects that attracts lots of attention from the public is the security that Joomla 4 offers.
On December 20, 2020, Nicholas K. Dionysopoulos, one of many that contributed the code to support the new security feature of Joomla 4 had published an article on Joomla! Community Magazine talking about this new feature. These few lines below are a summary of the keys aspect in Nicholas’s article.
Let’s dive in!
The forever-problem of insecurity password leads to a site hacked
It is commonly mistaken that only high value websites are at risk of being hacked. Truthfully, high value websites have higher potential of being hacked, though it doesn’t mean that smaller websites won’t be targeted. Hacked sites can then be used to send spams or phishing emails, host malware or become unwitting accomplices to their crimes as part of a botnet.
And the most common reason behind the compromise of the websites is very simple: using insecure passwords or reusing passwords, that got discovered by an automatic attack tool.
In the effort of preventing site hacking, Joomla had upgraded the way it stores passwords in its database and using stronger hashing algorithms. Nonetheless, the arrival of cloud computing providers with the relatively cheap price they offer for GPU computing, creating an ideal computing power to crack passwords. This makes those efforts of preventing site hacking seem useless, at least to a certain extent.
Adding to the effort of bringing the highest level of security to the platform, Joomla added Two Factor Authentication (2FA) since version 3.2 to minimize the impact of bad passwords. Though, bringing 2FA into Joomla didn’t really solve the problem since 2FA has its own trouble. For examples:
- It requires to enter another piece of information via another device or application
- IF you reset/change/lost your phone, you will lock yourself out from your site unless some "database surgery" is carried out to regain the access
Introducing WebAuthn
Web Authentication (WebAuthn) is a W3C standard. The basic mechanism of WebAuthn is based on the public key cryptography introduced in the 1970s.
Basically, two very long numbers which are mathematically entwined, called Public key and Private Key (together called a Key Pair) are generated by the browser. Then the Public Key is given to the server. When a user decides to login, the server will send a chunk of randomly generated data to the browser and remember it. The browser then uses Private Key to encode and send it back to the server to decrypt. It then checks that the decrypted data matches the one it remembered. If the decrypted data matches, you will be logged in.
WebAuthn is considered the closest thing to "unhackable" we can obtain with modern technology. Not only is it the replacement of passwords, it is also designed to fix the problem that normal passwords occur.
WebAuthn Requirements
WebAuthn is a new security feature included in Joomla 4. And in order to use this feature, you need to meet the following requirements:
System - WebAuthn Passwordless Login Plugin
This is the feature that implements WebAuthn in Joomla, which includes authenticator management and login. This plugin is enabled by default.
A valid HTTPS with certification
Your site must always and only be accessible through HTTPS. You can do that by going to your Global Configuration and set Force HTTPS to Entire Site.
Note: WebAuthn only works on your live site, it will NOT work on your local folder or on a temporary URL.
Browsers and Platforms that support WebAuthn
Currently, WebAuthn is supported in Google Chrome, Mozilla Firefox, Microsoft Edge and Safari web browsers, as well as Window 10 and Android platforms.
You can get a closer look at the adoption status for various platforms here.
An authenticator
Typically there are two types of authentication you should be using:
- Embedded authenticators:
If you are using devices that run Window 10 version 1903 or later, Android Pie or Later, macOS Big Sur or later, or IOS/iPadOS 14 or later that has biometric authentication (using fingerprint, face scanning, etc.) you can use the device itself as a WebAuthn authenticator.
- Secure hardware dongles:
You can use any hardware dongles that support FIDO or FIDO 2. This is an option for older and cheaper devices.
Note: The hardware dongles usually cost between 10 and 30 euros.
A small reminder
It is experienced that WebAuthn key pairs are tied to the exact domain name of your site. It means that "www.joomlashine.com" and "joomlashine.com" in the "eyes" of WebAuthn are considered 2 different sites.
Therefore, it is recommended that you should set up a redirection from the non-www to the www domain name or vice versa.
WebAuthn authentication registration process
Before you can use WebAuthn to login to your website instead of using a password, first you need to register an authenticator. Below are the steps you can follow to register:
Step 1
Go to your website and log in. Afterward, you need to navigate to your Joomla user profile and edit it. There are 2 ways you can do this:
- In the frontend there’s usually a profile link in the login module
- In your site’s backend, click on the User Menu icon at the top right corner and click on Edit Account.
Both ways will lead you to a section/tab called "W3C Web Authentication (WebAuthn) Login".
Step 2
Click on Add New Authenticator button, select whichever option that suits your needs and follow the instructions displayed to activate the authenticator for your Joomla site.
On your mobile devices, the system might ask for further information if you want to use integrated fingerprint / TouchID / FaceID or a security key.
Step 3
After finish adding a new authentication, click Edit Name button to rename it and click on Save.
And that’s it to register for a WebAuthn Authenticator.
Logging in with a WebAuthn authenticator
Simply go to your backend login page and enter your login username. Then, instead of typing in your password, choose the Web Authentication button.
After completing the above action, the system will ask you to select and activate your authenticator to login.
Obtaining an authenticator
If you are using a device with a built-in authenticator, then you can use the device itself as an authenticator.
However, if you own a device that does not have a built-in authenticator, you will need an external secure hardware dongle. It is suggested by Nicholas that you use a Security Key NFC by Yubico.
Sharing Login information
One small downside of this security feature of Joomla 4 is that you cannot share your login information to third party developers or consultants, etc. The only way you can do this is by sending them a physical security key which is impractical.
The practice to solve this downside is divided into 2 steps. First step, you need to ask them to create an account on your site. When they’re done, you can change their account’s user groups to give them the access level needed to work on your site.
[Advance practice] Bringing your Joomla site’s security to the next level
Passwords are never unnecessary
Even though WebAuthn is a secure and advanced technique to apply to your account, an “old-fashion” account and password is still essential. The password will allow you to have full access to your website without going through WebAuthn. However this will be used as the last option, you won’t be using the password to login your site on a daily basis.
A good practice recommended by Nicholas is that you should use a password manager to set up a long and random password, with 32 to 64 characters to make it impossible to guess or even crack in.
A second layer of WebAuthn will come in handy
It is idealed to set up more than one WebAuthn authenticator, one with a cheap hardware token protected with a PIN. This will be your backup plan when all of your devices get reset and you don’t have access to your password manager when your long, random password is stored.
Final words
WebAuthn is a fast and advanced guardian of your Joomla website. It’s secure, it’s easy to use and it works the same on every site; a great feature to be seen in Joomla 4 version. Looking forward to testing out this feature by myself!