Joomla Multi-Factor Authentication (MFA)

Yes, the miniOrange Two-Factor Authentication extension is fully compatible with Joomla 3, 4, 5, and 6. It works out-of-the-box with all standard Joomla themes and installations, requiring no additional configuration after a version upgrade. Whether you're running a legacy Joomla 3 site or migrating to the latest Joomla 6 release, your MFA setup, user policies, and authentication methods remain intact. This forward-compatible design ensures your site's login security is never compromised during routine platform updates.

The miniOrange 2FA plugin for Joomla supports a comprehensive range of authentication methods to suit different security needs and user preferences:

• Authenticator Apps (TOTP): Generate time-based one-time passwords using Google Authenticator, Microsoft Authenticator, Authy, or any TOTP-compatible app. This method works fully offline, making it ideal for high-security environments.
• OTP via Email or SMS: Deliver one-time passwords directly to a user's registered email address or mobile number. SMS OTP is especially effective for users who prefer not to install a separate app.
• Passwordless Login: Allow users to authenticate using only their username and a verified authentication factor such as OTP, email verification, or authenticator approval, eliminating password-related vulnerabilities such as credential stuffing and brute-force attacks.
• Security Questions (Knowledge-Based Authentication/KBA): Add a secondary layer of identity verification through pre-configured personal security questions, useful as a fallback or for lower-risk user roles.

Yes. The miniOrange 2FA plugin includes granular Role-Based MFA Control, allowing Joomla administrators to apply authentication policies selectively rather than site-wide. Specifically, you can:

• Mandate 2FA for privileged roles such as Super Users, Administrators, and Editors, while keeping it optional or disabled for lower-risk roles like Registered or Guest users.
• Restrict or exempt users by IP address, enabling trusted internal networks (e.g., office IPs) to bypass MFA while requiring it for all external logins.
• Enforce MFA by email domain, useful for multi-tenant or membership sites where different user groups have different compliance requirements.

This level of control reduces unnecessary friction for end users while ensuring that accounts with elevated access, which represent the highest security risk, are always protected by a second factor.

Losing access to your 2FA device does not result in a permanent account lockout. The miniOrange 2FA plugin for Joomla provides two reliable recovery mechanisms:

• Backup Codes: During initial 2FA setup, users are prompted to generate and securely store a set of single-use backup codes. Each code can be used once in place of the standard second factor to regain access and reconfigure authentication settings.
• Backdoor URL (Admin Recovery): Administrators can access a specially configured backdoor URL that bypasses the 2FA step entirely, allowing secure account recovery without exposing the login flow to others. This URL should be stored securely and restricted to site administrators only.

Both methods are designed to prevent lockout scenarios while maintaining the integrity of your site's authentication layer. It is strongly recommended to generate backup codes at the time of setup and store them in a secure password manager or offline location.

Yes. The plugin includes a configurable Remember My Device feature that allows users to skip the MFA step on browsers they have previously verified and trusted. Once authenticated, the device is marked as trusted for a defined number of days (set by the administrator), so returning users are not repeatedly prompted for a second factor on the same machine.

This feature strikes a practical balance between security and usability: it reduces login friction for frequent users accessing from their personal or work devices while still requiring full MFA verification from any new or unrecognized device. Sessions can be invalidated at any time by the user or administrator, and the trusted-device duration can be tuned to match your site's risk tolerance.

Yes. The miniOrange 2FA extension supports full Custom Gateway Integration for both SMS and email OTP delivery, giving you complete control over messaging infrastructure and costs. Out of the box, the plugin includes pre-built integrations with leading providers, including Twilio, Amazon SNS (AWS), and ClickSend. For organizations that operate their own messaging infrastructure or prefer a different provider, you can configure a custom SMS or email gateway using standard API credentials. This is particularly valuable for enterprises with data residency requirements, organizations operating in regions where default providers are restricted, or businesses that have negotiated custom SMS pricing with a regional carrier.