Bryn Whyman,
MFA Image

Multi-factor authentication has recently been released for both the SilverStripe CMS and CWP Dashboard, aimed at providing an additional layer of security for CMS Administrators, Content Editors, and Stack Managers. This additional level of protection follows security best practice, and will help to keep your account and Common Web Platform website safe from malicious attacks such as phishing or credential harvesting.

In addition to the introduction of multi-factor authentication, CMS Administrators will also note a number of improvements further supporting site security. 

In the following, we round up all the information you need to get started with MFA on the Common Web Platform, including:

  • How does multi-factor authentication work?
  • What verification services are supported by SilverStripe MFA?
  • Administrating MFA on your site
  • Introducing MFA to your stack on the CWP Dashboard
  • Introducing MFA to your site CMS
  • Additional CMS features
  • Developer documentation

If you’re a registered user of CWP, you can test drive the MFA module right now. Simply sign into your CWP Dashboard(external link) and register either an authentication app or a security key. 

How does multi-factor authentication work?

Multi-factor authentication (MFA), sometimes referred to as two-factor authentication (2FA), is an extra layer of security, designed to be used alongside your traditional username/email and password login. By adding an additional verification step to the login process, you can prevent an unauthorised user from accessing your account, even if they know your username/email and password.

Unlike your username/email and password, which is something that only you know, MFA verification asks you to provide something that only you have, namely a physical device such as your phone or a USB device. Some multi-factor services take a more personal approach to verification, for example, requiring your fingerprint or face to authenticate your login. For more information, see the CERT NZ guide(external link).

Setting up MFA in CWP

What verification services are supported by SilverStripe MFA?

SilverStripe MFA supports two popular verification methods: 

  • authenticator apps and; 
  • security keys.

Select MFA method

An authenticator app is installed on your phone, which generates single-use passcodes, each of which is only usable for only a short period of time. Common authenticator apps include Google Authenticator, Authy, and Microsoft Authenticator.

A security key is a physical device, such as a USB key, that is activated during MFA verification by plugging the device into your computer or bringing the key within range of a compatible device that supports wireless communication (NFC). One popular security key is the YubiKey 5(external link). The security key option is currently supported by the latest browser versions of Firefox, Chrome, and Edge. 

Subsites and security key compatibility: If your stack includes subsites where the subsite CMS is accessed over a different website URL from your main site, the security key method will not work. In this case, you should use an authenticator app.

Administrating MFA on your site

The MFA module(external link) was designed to be easily managed by site CMS Administrators and Stack Managers. Functionality includes:

  • To ease the transition into MFA for your CMS or stack users, we’ve included a configurable ‘grace period’. This allows your users to skip the MFA registration steps until the grace period expires, at which point they’ll be required to set up MFA.
  • CMS Administrators will find a built-in report which tracks the uptake of MFA at a CMS user level.
  • If a user’s MFA method is unavailable, they have the ability to use private, single-use backup codes to access the CMS or Dashboard.
  • Should users require an account reset, there’s also a new elevated permission for CMS Administrators or Stack Managers, allowing the ability to send a ‘reset account’ email to users who’ve previously enabled MFA.

All of these actions and others are captured in a comprehensive guide for using MFA in the SilverStripe CMS user help(external link).

MFA setup grace period

Introducing MFA to your stack on the CWP Dashboard

The CWP Dashboard has been updated to offer multi-factor authentication. This gives all users of the CWP Dashboard a unified way to secure their account across multiple CWP services, such as the deployment dashboard, Gitlab, Graylog, and the Service Desk.

To get started, simply sign into your CWP Dashboard(external link) and register either an authentication app or a security key.

Introducing MFA to your site CMS

To get started with MFA for your site CMS, we recommend initially formulating a plan with your Digital Agency or Developer, including its installation, testing, and release. 

In order to add MFA to the login process for your site CMS, you will need to have the opt-in module(external link) installed. This can be installed on sites running the latest version of each CWP major release. 

For CWP 2, we recommend that your site is running at least CWP 2.4, although it’s possible to be compatible with your site’s custom code down to version CWP 2.0. For CWP 1, your site is required to be running the latest version of CWP 1.9.x before installing MFA functionality.

Talk to your Digital Agency or Developer about installing MFA for your site CMS. If you’ve not got an Agency or Developer, feel free to get in touch with the CWP Service Desk(external link).

Additional CMS features

Once installed, MFA also supports your site security in a number of other ways. 

Redesigned login form

The look and feel of a site’s login form is often forgotten. We were also conscious of maintaining some consistency in styling between the new MFA login form and any existing login screens. So, we introduced a generic SilverStripe login screen that can be styled with your site name and a custom logo. 

Sudo mode

With the introduction of CMS permissions to manage MFA on a site, we’ve introduced ‘sudo mode’ for some actions, requiring a user to re-enter their password to avoid any malicious actions.

MFA Sudo mode

Requesting a password change for users

We’ve improved the process to request a password change for users. Previously, if an Administrator needed to change a user’s password, they first had to define the new password, and then find a secure way of sending it to the user. 

Now, the security section includes a simple checkbox requiring the user to enter a temporary password upon their next login, and also the ability for an Administrator to send an account reset email to the user.

MFA password reset

Developer documentation

To read about the installation steps of the MFA module and additional authentication modules, head to the SilverStripe Addons site.(external link)

Note that CWP environments are pre-prepared with the environment variables required for authenticator app/TOTP installation and will not require you to set this up for UAT and production environments.

If you're working with a stack that includes subsites, you’ll need to make sure that you’re running subsites version 2.3.1 or later. Due to some dependency requirements, composer will refuse to install MFA alongside earlier versions of subsites.

Try the MFA module now

If you’re a registered user of CWP, you can test drive the MFA module right now. Simply sign into your CWP Dashboard(external link) and register either an authentication app or a security key.

Back to the news

Last modified: