Two-Factor Authentication (2FA) is a security mechanism that requires users to provide two different authentication factors to verify their identity. This significantly enhances security by adding an extra layer of protection beyond just a password.
Starting with Tiki 21, 2FA was introduced to strengthen the security of user accounts during authentication, helping to prevent SIM Swap Scam.
Tiki uses pragmarx/google2fa, a PHP implementation of two widely used open standards for generating one-time passwords (OTPs) in 2FA systems:
TOTP (Time-based One-time Password): open standard documented in RFC 6238.
TOTP generates a one-time password using a secret key and the current timestamp.
- Algorithm: Based on HOTP
- Input: Secret key + Current timestamp
- Output: 6–8 digit numeric code
- Validity: Typically 30 seconds
- Use Case: Real-time applications requiring immediate validation
HOTP (HMAC-based One-time Password): open standard documented in RFC 4226.
HOTP generates a one-time password using a secret key and a counter.
- Algorithm: Based on HMAC-SHA1
- Input: Secret key + Counter value
- Output: 6–8 digit numeric code
- Validity: Until used (not time-dependent)
- Use Case: Ideal for systems where time synchronization is not critical or possible
Tiki primarily uses TOTP, which offers several advantages:
- Enhanced Security: Protects against unauthorized access even if passwords are compromised.
- Flexibility: The time-based nature limits the window in which a code can be reused.
- Cross-Platform Compatibility: Supported by a wide range of devices and applications, all implementing the same open standard.
- User-Friendly: Easy to set up with any TOTP-compatible authenticator app.
- Compliance: Helps meet regulatory requirements for secure authentication.
- You can even use another Tiki instance via PluginTOTP.
Choosing an authenticator app
Because TOTP and HOTP are open standards (not proprietary protocols), any compliant authenticator app will work with Tiki. There are many options available across platforms, including several that are free and open source:
| App | Platform | License |
| Aegis Authenticator | Android | Free/Open Source |
| FreeOTP+ | Android | Free/Open Source |
| Authenticator Pro | Android | Free/Open Source |
| Raivo OTP | iOS | Free/Open Source |
| Bitwarden Authenticator | Android/iOS | Free |
| Ente Auth | Android, iOS, Desktop | Free/Open Source |
| 2FAS | Android/iOS | Free |
For a more complete comparison, see the Wikipedia list of OTP applications. Any application that implements RFC 6238 (TOTP) will work.
Steps
Step 1: Enable the "Allow users to use 2FA" option in the "Log In" feature. Go to Settings > Control Panels > Log In > General Preferences tab (https://example.com/tiki-admin.php?page=login#contentadmin_login-1) with "Preference Filters" set to Advanced.
Step 2: Install a TOTP-compatible authenticator app on your mobile device. Any app implementing the TOTP standard (RFC 6238) will work. See the "suggested apps" above to pick the one that suits you.
Step 3: Check the "Enable two-factor authentication" option in User Preferences --> Account Information tab and click "Save changes". Note that your current password is required to make changes.
At this step, you need to link Tiki with your authenticator app by scanning the QR Code generated on the User Preferences page. Click "Show QRCode" to display it, then scan it using your chosen authenticator app.
Step 4: When logging in, open your authenticator app, read the current 6-digit code it displays, and enter it in the "Two-factor Authenticator Code" field on the Tiki login page.
By implementing standardized open algorithms like TOTP and HOTP, Tiki's 2FA support remains interoperable with compliant clients application, giving users full freedom of choice over which software they run on their own devices.
Related links
- Original commit: http://sourceforge.net/p/tikiwiki/code/70793