Yubico Forum

Hello,
I just recevied my yubikey neo some days ago and tried to used it today. The demo page "demo.yubico.com/start/u2f" apprears to work correctly.
However, trying to activate it for the joomla 3 administartor page hasn't succeeded yet. I've googled and searched the forum but couldn't find a working solution yet.
My approach:
- installing the chrome plugin requested on the U2F demoe page.
- running the U2F demo page (works).
- Logging in as admin to the joomla backend.
- enabling "Two Factor Authentication - Yubikey"
- disabling "Authentication - Joomla", "Authentication Gmail", "Authentication Cookie", "Authentication - LDAP" and "Two Factor Authetication - Google Authenticator"
- opening the user manager "Two Factor Authentication" tab
- Choosing "Yubikey"
- clicking on the "Secutiry Code" textfield
- pushing the Yukikey touch area on the USB stick for ca 1 second.
- clicking on the save button.

The browser then hangs on a whitepage forever. When after a while, trying to manually reload the page I get an error message on the screen:
"Error
You did not enter a valid YubiKey secret code or the YubiCloud servers are unreachable at this time."

and when logging out of joomla and trying to log back in I get this error message:
"Warning
JAuthentication: :__construct: Could not load authentication libraries."

The only way to fix it is to re-enable joomla authentication in mysql.

Now, I guess that this is a joomla related question. But not 100% so I though I start by asking here if the proceedure is done correct by me or if I'm missing something. There are several user guides on the web and I tried to follow them, but none made the login work correctly.

My setup:
Windows 8.1
Google chrome Version 42.0.2311.90 m
Joomla 3.4.1 (running on Centos 7.1)
Port 80 and 443 are open and routed to the webserver and the iptables are opened for these two ports. (not sure if 443 is really needed).
The administrator page is limited to some IP addresses. However I'm testing from a system with a valid IP.

Appriciate any suggestions.

Kind Regards,

Gery

Haven't worked in Joomla since the 1.x days... my life is pretty much 100% Drupal... but I'll take a stab. I'm cribbing from this blog post, which seems fairly current.

First... My understanding is (and, again, more knowledgeable Joomla people can help me out) is that the normal YubiKey Two Factor Authentication in Joomla uses the classic YubiKey One Time Password (Classic OTP) codes. Classic OTP codes look like "cccjgjgkhcbbirdrfdnlnghhfgrtnnlgedjlftrbdeut". This is not Fido U2F. I think there are Fido U2F modules out there in beta, but the normal Joomla one is Classic OTP. Your description leads me to think you're dealing with the Classic OTP in Joomla.

Your Neo does both U2F and classic OTP (and much more). Verify the classic mode here.

Second... the YubiKey is (almost always) a "second factor in authentication", not an authentication system in itself. You'll still normally have a name and password... the YubiKey is additional. You probably will want to leave "Authentication - Joomla" on (and probably "Authentication cookie" too). It is conceivable to set up an authentication system where you don't type in any username or password... the YubiKey is the only method of authentication. This is almost certainly not what you are wanting and is probably not something the Joomla module allows.

Third, if you do go the YubiKey Classic OTP route with validation by YubiCo's free validation service (which is probably what you're looking for), you'll have one more step. You need to request an "API ID/Secret Key" from YubiCo. This is just a key to verify that you aren't using their validation service maliciously. You'll probably have to copy the API ID/Key you get from YubiCo into your Joomla setup (Plugin Manager > Authentication - Yubikey ???).

One advantage of Classic OTP over Fido U2F... it will work on any system (since it's just emulating a USB keyboard), not just Chrome with the plugin. In a few years I expect the newer Fido 2FA to be very common in Joomla/Drupal/WordPress installs (and work in more browsers), but nothing is wrong with using the classic OTP for now.

Hello,
thank you for those hints.
yes you're right, it's classic OTP that I'm using not U2F. I wasn't aware of the difference. I've looked at and tried the "http://www.dart-creations.com/joomla/joomla-tutorials/enabling-and-using-joomla-two-factor-authentication.html" how to. It's a bit confusing as this appears to be aimed at joomla 2.5 users that don't have a native support for the Yubikey. Following that descriptions gives me a "404 component not found" when trying to open the "Yubikey Authentification" from the component menu. Eventhough I got "installation successful"l from the install manager. The plugin is also enabled and correctly configured with the API ID and secret key.
From what I understand the "Yubikey plugins" take over the functionality of handling all login (also default, none OTP etc.) and the default Joomla authentification should therefore be dissabled (Step 8 in the blog- howto above).

To summarise my situation:
-> When trying the Joomla 3 buildin "Two Factor Authentication - Yubikey" pluigin. It hangs when trying to save the user after entering the security code.
-> When trying the google plugin and component https://code.google.com/p/joomla-yubikey-authentication/downloads/list I can enter the API ID and secret key but get an error 404 when trying to access the component.
-> Also tried following these instructions https://www.youtube.com/watch?v=Uur6HMDbAnc , http://www.joomlablogger.net/joomla-tutorials/joomla-core-tutorials/two-factor-authentication-joomla-yubikey

Regards,
Gery

ok, the issue was that the PHP mcrypt module was missing in my Centos 7 LAMP installation.

-> For this case:
-> sudo yum install php-mcrypt -y
-> alter php.ini to include extension=mcrypt.so
-> systemctrl restart httpd
-> Proceed in joomla like described in the user guides above to enable two way authentification.

Cheers,

Gery