Overview

Password reset links sent through email are one of the most common targets for cyberattacks. If someone gains access to a user’s email, they can easily reset passwords and take over accounts. To improve both security and user experience, the client wanted a faster and safer way for users to reset their passwords, without relying solely on email links.

Prerequisites

This use case has been seamlessly implemented using the plugins listed below. To achieve this, you will need to install these plugins on your Joomla instance.

miniOrange MFA Extension for Joomla

Validate your users with our powerful Joomla MFA/Two-Factor Authentication (TFA) extension.

Download Extension

Challenge

The default Joomla password reset process requires users to click a link sent to their registered email address. While this method works, it can be slow and risky. If a user’s email is compromised, an attacker could easily take over their Joomla account. The client needed a solution that made the reset process quicker, while also adding a strong layer of protection.

Solution

We integrated multi-factor authentication (MFA) into the Joomla password reset flow using the miniOrange MFA extension. This ensures that even if someone knows a user's email or username, they cannot reset the password without passing a second verification step.

Now, when users request a password reset, they must first complete an MFA challenge—only then can they set a new password.

Implementation

The default Joomla password reset functionality was improved upon by integrating MFA checks into the reset workflow. When a user initiates a password reset, they must go through a second layer of authentication before being allowed to change their password. This can be configured to work in multiple ways depending on the admin's choice:

• OTP via Email or SMS
• TOTP from authenticator apps like Google Authenticator or Authy
• Security questions or backup codes (used as fallback options)

Upon initiating a password reset request, the user receives a verification challenge through the configured MFA method. Only after completing the challenge are they redirected to set a new password.

This ensures that even if a malicious actor has access to a user’s account, they cannot perform a password reset without passing MFA.

Benefits

• Stronger Account Security: Prevents unauthorized password resets—even if email or username is exposed.
• Faster Password Resets: No need to check email inboxes or worry about expired reset links.
• Flexible Verification Options: Users can choose the method that works best for them: SMS, email, or authenticator apps.
• Reduced Risk of Account Takeover: Adds a critical layer of protection to one of the most vulnerable processes.

Result

Adding multi-factor authentication (MFA) in the password reset process has greatly enhanced Joomla's default functionality. This improvement has made the process more efficient and straightforward, all while maintaining, or even increasing, security. Users can now reset their passwords in just a few clicks without sacrificing their security.

Additional Resources

1. Multi-Factor Authentication for Joomla
2. OTP Verification for Joomla