The dangers facing a modern web site can be exhausting to protect against. From denial of service (DoS) attacks hindering uptime to the constant brute-forcing of user passwords, a CMS administrator has numerous things to worry about on a daily basis. Because some challenges are more difficult than others, it’s common for teams to roll out solutions that may fill a security gap, but also create new annoyances for users. How then can a team receive enhanced security and also provide a manageable user experience?
Two-factor authentication is a hot topic in technology due to numerous companies rolling out their own solutions for customers, including the likes of Facebook, LinkedIn, and 37 Signals. With this added exposure to two-factor, the demand for such functionality is increasing for everyday applications like Drupal. Because of the rampant rate at which CMS sites are being hacked due to poor passwords, it’s more crucial than ever to add strong authentication security to existing web sites that power corporate sites and eCommerce. One such solution to this problem that addresses both poor authentication and the need to engage end-users is Duo Security.
With Duo Security’s offering, a simple mobile application provides a “push” method of two-factor authentication directly to the phone. If your users don’t happen to have a smartphone or are unable to receive a data connection, they can chose among many other methods to authenticate such as a phone call, SMS, soft token passcode, or hard token passcode. With many options to authenticate, users are less likely to be frustrated with trying to handle two-factor authentication.
If your organization utilizes Drupal, adding Duo Security will provide for a simple and affordable method to secure authentication while still providing your administrators and editors a convenient way to login. If you’re interested in adding two-factor authentication to your site running Drupal, follow the next few steps to get the protection and convenience of Duo Security.
Create a Duo Security Account
First, head over to https://www.duosecurity.com/editions and sign-up for a personal account which will provide Duo Security service for up to 10 users, completely free. This means that not only can your whole team utilize two-factor authentication for your Drupal site, but also for other logins such as SSH or your VPN.
Add the Duo Security Drupal Module
As with most Drupal modules, simply visit our official module page at https://drupal.org/project/duo and download the appropriate version for your Drupal installation and upload either via FTP or the administration console. Once installed, enable the newly installed Duo module to continue on for configuration.
Configuration of the Duo Module
Within your Duo Security administration panel, create a new integration for your Drupal site. You’re able to call the integration whatever you prefer, but we’d recommend naming it related to your web site for easy identification.
Once your integration is created, you will see three important values: integration key; secret key; and API hostname. These values will need to be put into the associated fields within your Drupal configuration for the module. Once they have been copied-and-pasted over, simply click “Save Configuration”.
Testing Drupal Two-Factor Authentication
If you’re still logged into your Drupal administration panel, simply click “Log out” to go back to your login page. Once you enter your username and password again, you’ll now be prompted to enroll your user’s account into Duo Security. One of the best features of Duo is the ability for users to configure their own methods of authenticating to the service via devices such as phones, tablets, and hardware tokens.
Upon completion of your user’s enrollment setup, you’ll be able to select a method to complete your 2nd factor of authentication. We recommend Duo Push as it is our easiest and most secure method to do so. With a single tap of your Duo Mobile app you can choose to approve or deny the login request.
Convenience and Security
With Duo Security your users don’t have to tediously deal with only a single hardware token or lackluster mobile app in order to login securely to your Drupal site or other applications. By empowering users to define multiple methods to login to your organization’s applications they are more productive and require less interaction with your support staff. Further, because Duo Push is so easy to use, your entire staff won’t mind adding this increased authentication security, enabling the team to focus on content and design rather than brute-force attacks.