Securing Logins with Two Factor Authentication

DuoCMS is used on numerous membership organisation websites. It’s therefore important users have the ability to secure their accounts beyond just using a password.

We’ve recently added TOTP authentication to both DuoCMS7 and DuoCMS8 to allow users to add a one time passcode to their accounts.

How TOTP Works

A time-based one-time password (TOTP) is a temporary passcode generated by an algorithm that uses the current time of day as one of its authentication factors. Time-based one-time passwords are commonly used for two-factor authentication (2FA) and have seen growing adoption by cloud application providers.

The setup process for the user is to :

  • Download an authenticator app to their phone, Microsoft and Google both offer popular free apps for this purpose.

  • Click to enable 2FA within the DuoCMS Admin Panel

  • Use the app to take a photo of a QR code on screen

  • Then enter the code returned in the authenticator app, to confirm the code works

Once complete, all future logins will add an additional step, after asking for your username and password, they’ll  also ask for the code currently displayed in the app. The code changes every 60 seconds so unlike password can’t be noted down by someone looking over your shoulder.

With this added factor, anyone logging into your account needs to know both your password and have access to your phone.

Using OAuth

In addition to TOTP, we have also added another oAuth provider - “Login with Microsoft”.

Logging in via an oAuth provider allows you to access your account without using a username or password. You simple click the button and the provider of choice tells us who you are. If you have an account we log you in.

The recently added “Login with Microsoft” oAuth option, validates your accounts email address with Microsoft before logging your in. If you’re commonly logged in with Microsoft, ie if you’re using online outlook, the Microsoft Edge browser or any other online Microsoft services, logging in can be a single click. This option is in addition to the “Login with Google” option, which has been present since CMS7. The Microsoft option is only available in DuoCMS8.

What’s Next?

We’re constantly looking for improved ways to allow our customers to access their website in as secure and easy to use ways as possible. We are very excited about the developments in the passkey technology which is being rolled out by Apple and Google and we’ll be ready to implement it once it reaches maturity. At the moment there is a little too much vendor lock in regarding who stores the passkeys. Hopefully that will be ironed out soon and logging into your website may just require a fingerprint or face id without any need to remember any passwords.

This site uses cookies that enable us to make improvements, provide relevant content, and for analytics purposes. For more details, see our Cookie Policy. By clicking Accept, you consent to our use of cookies by us and third party code embedded within this site. To change your consent, click the "Update Cookie Consent" link at the bottom of the webpage at any time.