Drupal is a registered trademark of Dries Buytaert
Protected Pages 3.0.0 Major update available for module protected_pages (3.0.0). Commerce Core 3.3.8 Minor update available for module commerce (3.3.8). Search API HTML Element Filter 1.0.7 Minor update available for module search_api_html_element_filter (1.0.7). Layout Builder Reorder 2.0.1 Minor update available for module layout_builder_reorder (2.0.1). Ban 1.1.0 Minor update available for module ban (1.1.0). Field Formatter Range 2.0.0 Major update available for module field_formatter_range (2.0.0). Field Formatter Range 8.x-1.8 Minor update available for module field_formatter_range (8.x-1.8). UI Patterns (SDC in Drupal UI) 2.0.18 Minor update available for module ui_patterns (2.0.18). Search API Solr 4.3.11 Module search_api_solr updated after 14 months of inactivity (4.3.11). Provus Mega Menu Module provus_mega_menu crossed 1,000 active installs.

drupal-mfa

5 sites No security coverage
View on drupal.org

This module provides two-factor and multi-factor authentication for Drupal using FIDO2/WebAuthn security keys and TOTP authenticator apps. Users can register hardware security keys, platform authenticators, passkeys, and authenticator apps for a secure login experience.

Description

Provides FIDO2/WebAuthn security key and TOTP authenticator app
support for two-factor (2FA) and multi-factor (MFA) authentication in Drupal.

Users can register hardware security keys (YubiKey, SoloKey, etc.), platform authenticators (Windows
Hello, Touch ID, Android biometrics), passkeys, and TOTP authenticator apps (Google Authenticator,
andOTP, FreeOTP, Aegis, etc.).

Features

  • WebAuthn/FIDO2 — register and authenticate with hardware security keys, platform
    authenticators, and passkeys
  • TOTP — set up authenticator apps with QR code provisioning
  • 2FA mode — any single configured method clears the gate
  • MFA mode — require all configured methods (e.g. both a security key and
    authenticator app)
  • Per-user toggle — users choose whether to enable 2FA (when policy is
    "optional")
  • Admin policy — set 2FA as optional or required for all users
  • 2FA gate — event subscriber blocks access to the site until verification is
    complete
  • Self-service management — users manage their own keys and TOTP at
    /user/{uid}/security-keys
  • Clone detection — flags authenticators with sign counter anomalies

Requirements

  • Drupal 9.2+ (compatible with Drupal 10 and 11)
  • PHP 7.4+
  • HTTPS (required by the WebAuthn browser API)

Installation

composer require drupal-mfa
  drush en webauthn

Configuration

  1. Go to /admin/config/people/webauthn
  2. Set Relying Party ID to your domain (e.g. example.com)
  3. Set Relying Party Name (shown in authenticator prompts)
  4. Choose Policy: optional or required
  5. Choose Verification Mode: any (2FA) or all (MFA)

Libraries

Activity

Total releases
2
First release
Feb 2026
Latest release
4 months ago
Releases (12 mo)
2 ▲ from 0
Maintenance
Active

Releases

Version Type Release date
1.0.1 Stable Feb 23, 2026
1.0.x-dev Dev Feb 23, 2026