TOTP (TFA/MFA via Google Authenticator)
The TOTP (Time-Based One-Time Password) plugin enables two-factor authentication (2FA) for selected user groups. Two-factor authentication, a form of multi-factor authentication (MFA), adds an extra layer of security by requiring a temporary code in addition to the user's password.
TOTP is a widely supported standard used by apps such as Google Authenticator, Authy, and Microsoft Authenticator. These apps generate time-based 6-digit codes on the user’s mobile device.
Setup Process
When a user in an enabled group logs in for the first time after TOTP has been enabled:
-
They are presented with a QR code on screen.
-
The user scans the QR code using their authenticator app.
-
The app begins generating 6-digit TOTP codes.
-
The user is prompted to enter a valid code to complete setup.
Once successfully configured, users will be prompted to enter a valid TOTP code on each subsequent login.
Security and Lockout
-
Users are allowed up to 10 attempts to enter the correct TOTP code.
-
After 10 failed attempts, the account is locked and TOTP authentication is blocked.
Account Recovery and Reset
If a user:
-
Loses access to their device,
-
Fails to enter the correct code 10 times, or
-
Experiences other issues with TOTP authentication,
an administrator can reset the user’s TOTP setup:
-
Navigate to the user edit page.
-
Tick the “TOTP reset” checkbox (visible near other password reset options).
-
Save the user record.
Note: The admin performing the reset must belong to a group for which the TOTP plugin is enabled in order to see this option.
Administrator Override
Administrators also have the option to postpone TOTP registration for 24 hours during login. This allows access to the system without completing TOTP setup immediately. This override is only available to users with administrative privileges.