Second-factor authentication (2FA)
Kirby offers two types of built-in 2FA options, but you can add more via plugins.
Available methods
Kirby comes with built-in second-factor authentication (2FA) methods:
- auth code via email
- time-based one-time passwords via an auth app (TOTP)
You can add additional types of auth challenges (SMS, hardware tokens) via auth challenge plugins. The login flow is the same, but the additional login code then gets verified by the plugin.
Enabling 2FA
You enable 2FA in your config.php
file, see two-factor authentication.
Auth-code via email
The default 2fa
mode will ask users for their email and password first and then send a verification email with an additional code that they have to enter afterwards to verify their login.
Since 4.0.0
Time-based one-time password (TOTP)
TOTP allows you to sign in into the Panel with a code generated by your auth app of choice. Those codes are valid once and renew every 30 seconds.
You enable TOTP as second-factor authentication method in your users account. For this option to be available, 2FA has to be enabled for the site in the configuration.
Here are some popular two-factor authentication applications:
- Authy (Android, iOS, MacOS, Windows)
- Google Authenticator (Android, iOS)
- Microsoft Authenticator (Android, iOS)
- FreeOTP (Android, iOS)
Enabling TOTP for your account
- In the Panel, visit your user account, then select "Setup one-time codes" from the settings.
- Scan the QR Code shown in the dialog with your app of choice, or add the setup key manually in the app.
- Enter the code generated by your app into the code field and confirm with the "Activate" button.
From now on, whenever you log in, Kirby will ask you for a one‑time code from your auth app instead of sending you a 2FA code via email.
This option is only available if 2FA is enabled in the configuration.
Disable TOTP for your account
- In the Panel, visit your user account, then select "Disable one-time codes" from the settings.
- When prompted, fill in your password and confirm with the "Disable" button.
After this, you will receive 2FA codes via email. If you want to generally disable 2FA, you have to remove this configuration for the site.
QR Code® is a registered trademark of DENSO WAVE INCORPORATED.