Submitted by Chris McIntosh on October 6, 2020

Nowadays, security is vital to anything that we do especially on the internet where information and data can be snatched or hacked in a second, and the Drupal community is very keen on that matter. So they created a web security module to make sure a website built in Drupal is secured and can't be hacked easily. One of these modules is the Two-factor Authentication or TFA.


What is TFA? Two-Factor Authentication is a second layer of security to help protect an account or system from unauthorized users. Users must go through two layers of security before being granted access to an account or system.


How does TFA work? So once all dependent modules and TFA are integrated. Users will be asked 6 digit code after logging in. Usually, the 6 digit code will appear on an authenticator app and then once you got the 6 digit code you can now enter the code on the application verification box that will show up on your screen.


Now that we know what Two-Factor Authentication does and what it is. Next we will discuss a detailed process of how we can achieve Two-Factor Authentication in a Drupal 8 website using one of its new TFA contributed modules that connects to Google authenticator App.  


So before installing TFA in your Drupal website, first you need to install dependent modules and configure them. Here are the modules you need to install first.

  1. encrypt module

  2. real_aes and key module

  3. TFA module and ga_login module


We got all the modules needed. So next are the steps on how to install and configure it.


Step 1 – install the encrypt module.


Real aes module has a dependency on the encrypt module. So first, we have to install the encrypt module. Underneath the photo is the link where you can download the Encrypt module.


Step 2 –install and configure real_aes and key module.


After installing the Encrypt module, the next step is configuring the Encryption module real_aes and key module. 


Some encryption method modules require both to use Key and Encrypt Modules. 


Encryption Method – [Real AES](

Key module(

Once the Key and Encryption method module is installed, then enable both key and RealAES module. 


Real RES module needs a Defuse PHP-Encryption library, so you have to install this module using the below composer command.

  • composer requires drupal/real_aes


Next, we are going to generate an encryption key using the command prompt. This is needed in the key configuration window.

  • Configuration -> System->keys


Generate a base64 key in the command line


Use below command in Linux.

  • dd if=/dev/urandombs=32 count=1 | base64 -i - > /var/www/html/your_project/encrypt.key


Visit the Keys module's configuration page and click "Add Key."


Provide information below




Next step is to define encryption profiles. The encrypt modules allow you to define encryption profiles that can be used again throughout the website. Now that we installed the encryption module so next is to navigate on how to edit the encryption profile.


Configuration ->system->encryption profile


Click on "Add Encryption Profile"



Fill the below details.

  • Label your Encryption Profile

  • Encryption method: "Authenticated AES (Real AES)" – or the encryption method of your choice.

  • Encryption Key: Select the Key you created in the previous step.

  • Save

Next step is to install the TFA module.


Step 3 – install and configure TFA module and ga_login module.


First, is you need to download the TFA module from the link below.

Next is you need to install the Google authenticator module. Check the link below.


The TFA or Two-Factor Authentication module has multiple PHP library dependencies on it. See below the dependencies.

  • “chillerlan/php-qrcode”: “1.0.8”,

  • “christian-riesen/otp”: “2.*”


So use composer to install this module and use below composer command.

  • composer require drupal/ga_login

Then enable this module.


After installing all the required modules, Next is you need to configure the TFA module.

Navigate to TFA configuration under configuration-> People and select Enable TFA for account authentication.


Done with Enable TFA for account authentication, Next step is you need to select the Encryption profile you created in the previous step and don't change the values of it.



 If you selected the role to set up TFA of their account, users could set up Two-Factor Authentication through their security tab of the profile page.




Clicking on the link redirect to the page below where you have to provide your current password.

Next page, you can see the QR code.



Download Gooogle authenticator App from App Store.

Play store link

Apple app store link

Click on the '+' button and scan QR code. Then the authenticator app will provide a 6 digit verification code that you can provide in the above application verification code field.


Click Verify and Save, and you can see the success message and list of recovery codes.



Now that everything is set-up, next is you will test it by logging out and logging in again using Two-Factor Auth.


Log-in using your user details and after clicking the log-in button, the system will ask for a verification code which you need to open your Google Authenticator App to get the 6 digit code.




After clicking on the verify system will redirect to the admin screen.



So everything is set-up now and tested the functionality of TFA. A quick tip about your Google authenticator app. you can add multiple accounts on it. Also, the 6 digit code that will appear in the App keeps on changing with 3-4 seconds. If you need help on migrating or developing a website, Wembassy is here to help you. Feel free to send us a message thru our website.