Two-Factor Login Security

Developed by

Version 9 Ready!

Multi-Site Licensing

To obtain a multi-site license you must negotiate a special offer with mnakalay, the developer of Two-Factor Login Security.

Click below to send a private message and begin the process. You may need to sign in to before you can message this user.

Send Message
When a customer has concerns over login security, I immediately point them at Two-Factor Login Security (this addon)…


Protect all your critical accounts on Concrete5 websites even if someone knows or steals your password.

It’s like Cinderella’s slipper. She can give her name and confirm where she was before midnight, but it’s only when the slipper fits that Prince Charming knows she’s for real — Nick Asbury.

PHP 8 ready!

Now fully translated in Japanese thanks to Katz515 (Katz Ueno, Chief Communications Officer at Concrete5 Japan)

Many thanks to him.

Here's the idea

Put simply, this extra layer makes it almost impossible to hack your account because it requires 2 things:

  • 1 thing you know: your password
  • 1 thing you have: your mobile phone
It's the same type of protection you have when you use your bank card in an ATM, you need something you know (your PIN) and something you have (your card)
Except with Two-Step Authentication, your phone is way smarter and more secure than your bank card :)

This is how it works

  1. You install Authy or the Google Authenticator app or any other 2FA app on your phone
  2. You set up Two-Factor Login Security on your website and activate it for any accounts you want to protect (I suggest Admin, for a start)
  3. You get your Secret Key in your 2FA app on your phone (easily with a scannable QR Code)
  4. Next time you want to login to your site you'll be asked for your usual username and password
  5. If that checks correctly, you'll be asked for a 2FA key as a second step

How is this more secure?

I can hear you think: but it sounds like I now have 2 passwords instead of 1. How is this more secure?

The difference is 2FA codes have a very short period of validity. Less than 2 minutes. They can't be guessed because there's no time to guess them.

To be clear, to hack your account, one would have to obtain:

  1. Your username (easy)
  2. Your password (time-consuming but easy)
  3. Your mobile phone (hopefully you're being careful with that)
  4. Your phone unlocking password or pattern (again be careful)

Who is this for?

  • Anyone who wants to keep control of their website should use Two-Step security for admin accounts
  • Sites where users are given specific roles such as Editor, File Manager... should protect these accounts
  • Any sites where users have accounts with sensitive data (e-Commerce websites, schools, job boards...) should build trust with their clients by protecting their accounts
  • Anybody who's already activated Two-Factor Authentication on their email and social accounts (Gmail, Facebook...) knows how important it is and should do the same with their website
Current Version: 2.1.4
Fully Translatable: Yes
Needs External Libraries: No
License: Standard
Support Response: Replies to tickets every few days.
Support Hosted: On
Needs extra server permissions: No
Needs Internet: No
Marketplace Tests:
Passed Automated Tests
Passed PRB Review