Multi-factor authentication now available for Silverstripe CMS and Cloud

Multi-factor authentication has recently been released for both the Silverstripe CMS and Silverstripe Cloud, aimed at providing an extra layer of security for CMS Administrators, Content Editors, and Stack Managers.

This additional level of protection follows security best practice, and will help to keep your account and Silverstripe CMS website safe from malicious attacks such as phishing or credential harvesting. In addition to the introduction of multi-factor authentication, CMS Administrators will also note a number of improvements further supporting site security. 

In the following, we round up all the information you need to get started with MFA on Silverstripe, including:

• How does multi-factor authentication work?
• What verification services are supported by Silverstripe MFA?
• Administrating MFA on your site
• Introducing MFA to your stack on Silverstripe Cloud
• Introducing MFA to your site CMS
• Additional CMS features
• Developer documentation

If you’re a registered user of Silverstripe Cloud, you can test drive the MFA module right now. Simply sign into your Silverstripe Cloud dashboard and register either an authentication app or a security key. 

How does multi-factor authentication work?

Multi-factor authentication (MFA), sometimes referred to as two-factor authentication (2FA), is an extra layer of security, designed to be used alongside your traditional username/email and password login. By adding an additional verification step to the login process, you can prevent an unauthorised user from accessing your account, even if they know your username/email and password.

Unlike your password, which is something that only you know, MFA verification asks you to provide something that only you have, namely a physical device such as your phone or a USB device. Some multi-factor services take a more personal approach to verification, for example, requiring your fingerprint or face to authenticate your login.

Setting up multi-factor authentication

What verification services are supported by Silverstripe MFA?

Silverstripe MFA supports two popular verification methods: 

• authenticator apps (via TOTP) and;
• security keys (via WebAuthn).

Selecting an authentication method

An authenticator app is installed on your phone, and generates single-use passcodes, each of which is only usable for only a short period of time. Common authenticator apps include Google Authenticator, Authy, and Microsoft Authenticator.

A security key is a physical device, such as a USB key, that is activated during MFA verification by plugging the device into your computer or bringing the key within range of a compatible device that supports wireless communication (NFC). One popular security key is the YubiKey 5. The security key option is currently supported by the latest browser versions of Firefox, Chrome, and Edge. 

Subsites and security key compatibility: If your project includes subsites where the subsite CMS is accessed over a different website URL from your main site, the security key method will not work. In this case, you should use an authenticator app.

Administrating MFA on your site

The MFA module was designed to be easily managed by site CMS Administrators and Stack Managers using the Silverstripe Cloud Platform. Functionality includes:

• To ease the transition into MFA for your CMS or Silverstripe Cloud users, we’ve included a configurable ‘grace period’. This allows your users to skip the MFA registration steps until the grace period expires, at which point they’ll be required to set up MFA.
• CMS Administrators will find a built-in report which tracks the uptake of MFA at a CMS user level.
• If a user’s MFA method is unavailable, they have the ability to use private, single-use backup codes to access the CMS or Silverstripe Cloud dashboard.
• Should users require an account reset, there’s also a new elevated permission for CMS Administrators or Stack Managers using the Silverstripe Cloud, allowing the ability to send a ‘reset account’ email to users who’ve previously enabled MFA.

All of these actions and others are captured in a comprehensive guide for using MFA in the Silverstripe CMS user help.

Configuring a grace period to transition into MFA

Introducing MFA to your stack on Silverstripe Cloud

The Silverstripe Cloud dashboard has been updated to offer multi-factor authentication. This gives all users of the dashboard a unified way to secure their account across multiple Silverstripe services, such as the deployment dashboard, Gitlab, and Graylog. 

To get started, simply sign into the Silverstripe Cloud dashboard and follow the prompts to register either an authentication app or a security key.

Introducing MFA to your site CMS

In order to add MFA to the login process for your site CMS, you will need to have the MFA module installed, along with at least one of the authenticator modules (TOTP or WebAuthn). This can be installed on sites running the latest version of each Silverstripe CMS major release. 

For Silverstripe CMS 4, we recommend that your site is running at least Silverstripe CMS version 4.4, although the MFA module is compatible with Silverstripe CMS version 4.1 or later. For Silverstripe CMS 3 projects, your site is required to be running the latest version of 3.7.x before installing MFA functionality.

Talk to your Digital Agency or Developer about installing MFA for your site CMS. If you don’t have an Agency or Developer, check out the Silverstripe Professional Partner directory.

Additional CMS features

Once installed, MFA also supports the security of your site in a number of other ways. 

Redesigned login form

The look and feel of a site’s login form is often forgotten. We were also conscious of maintaining some consistency in styling between the new MFA login form and any existing login screens. So, we introduced a generic Silverstripe CMS login screen that can be styled with your site name or a custom logo. 

Sudo mode

With the introduction of CMS permissions to manage MFA on a site, we’ve introduced ‘sudo mode’ for some actions, requiring a user to re-enter their password to avoid any malicious actions.

Configuring sudo mode

Requesting a password change for users

We’ve improved the process to request a password change for users. Previously, if an Administrator needed to change a user’s password, they first had to define the new password, and then find a secure way of sending it to the user. 

Now, the security section includes a simple checkbox requiring the user to change their password upon their next login, and also the ability for an Administrator to send an account reset email to the user.

Sending an account reset email

Developer documentation

To read about the installation steps of the MFA module and additional authentication modules, head to the Silverstripe CMS addons site.

If you're working with a stack that includes the Subsites module, you’ll need to make sure that you’re running Subsites version 2.3.1 or later on Silverstripe CMS 4, and Subsites version 1.4.2 on Silverstripe CMS 3. Due to some dependency requirements, Composer will refuse to install MFA alongside earlier versions of Subsites.

Try the MFA module now

If you’re a registered user of Silverstripe Cloud, you can test drive the MFA module right now. Simply sign into your Silverstripe Cloud dashboard and register either an authentication app or a security key.

Hosting your project on Silverstripe Cloud allows you to prioritise security when managing projects. Contact the Silverstripe team or click below to learn more about Silverstripe Cloud.