User security is always a concern when you must have a website that is housing sensitive data. Joomla! 4.0 has implemented support for WebAuthn (W3C Web Authentication). This option allows you to use security keys and passwordless login provided that you have an authenticator and a valid SSL certificate applied to the site.
This article will go over the details on the requirements for use of WebAuthn. We will also demonstrate how you enable it for your users and where it can be disabled in the Joomla interface.
- What is WebAuthn and How is it Supported in Joomla 4.0?
- How to Enable WebAuthn for Your Users
- How to Enable/Disable Passwordless Logins in Joomla
What is WebAuthn and How is it Supported in Joomla 4.0?
WebAuthn is a W3C (World Wide Web Consortium) standard for secure authentication on the Web supported by major internet browsers. WebAuthn stands for Web Authentication and allows for passwords to be stored outside of the application, the verification of the use of HTTPS, and the use of an authentication system – through compatible browsers, applications, or hardware keys. The specific requirements as listed by Joomla developers can be found in this document: PR#289044. To summarize:
- You must have a valid SSL certificate that allows access to your site through HTTPS
- You must have an authenticator. A FIDO (Fast IDentity Online) or FIDO2 compatible hardware key is considered to be the best solution. But a software FIDO key may also be used. (Note: WebAuthn works through the Chrome browser)
- WebAuth compatible browser – currently, Google Chrome and Firefox are listed as working solutions
When you load Joomla! 4.0 then you should have WebAuthn enabled by default. You can tell if you have a working SSL certificate and your login screen looks like this:
How Do You Enable WebAuthn For Your Users?
Before you can use WebAuthn for your login, you must let your users know that at this point the browsers they can use for login are either Google Chrome or Mozilla Firefox. You will also need to make sure that your SSL certificate is valid and your website can use HTTPS when displayed in a browser.
If you intend to allow the use of hardware keys like Yubikey, or Google Titan then these devices must be FIDO or FIDO2 compatible. Also, users should be warned of the consequences of losing a key. If you are a company and have employees using the Webauthn log-in with a key, then you should have a policy in place for replacement keys and backups.
If you are a small operation or you’re the only one logging in with a key, then look into the backup policies and advice provided by the vendor who supplies your key. For example, Yubikey advises that you keep a backup key.
While they are considered the most secure option, the main drawback of using hardware keys is that they are not free. You can expect to spend from $30+ for each key purchased.
To enable Webauthn for your users, make sure that they meet the requirements of having a compatible browser or hardware key. Then follow these steps:
- Log in to the Joomla Administrator Dashboard and click on Users in the main menu at the left.
- Click on the user that you want to modify.
- You will see the user with a tab for Web Authentication:
- Click on the W3C Web Authentication tab. You will see the option to add an authenticator at the bottom.
- Click on the green bar and you will get the option to add an authenticator. In this example screenshot, I have the choice of a USB security key or This device.
- When I completed adding the device, it confirms it on the screen.
- Make sure to click on SAVE or SAVE & CLOSE in the top left corner.
At this point, WebAuthn has been enabled for the user and you can test it at the login screen. When the login screen appears, click on the Web Authentication button, a popup will appear asking for a password.
Once you type in the corresponding password then it will log you straight into the application.
How to Enable/Disable Passwordless Logins in Joomla
The option to enable or disable passwordless logins can be found in the System Plugins section. Here are the steps to get to that section.
- Log in to the Joomla Administrator Dashboard
- Look for the Plugins button on the front page. Click on this button.
- You can disable the plugin for passwordless login by clicking on the green checkmark to disable it.
If this option is disabled, then you will not see the web authentication login button on the login screen.
This completes our tutorial on WebAuthn in Joomla! 4.0 and how it’s used. If you want to continue learning more about using Joomla, then please visit our InMotion Hosting Support Center website.