How to add Google Authenticator two-factor auth to your Drupal instanance

Sleep better by adding an extra layer of security to your Drupal site by applying the Google Authenticator module to your site:

  1. Download it here and install it into your modules directory as normal, and enable it (it’s called GA Login in the GUI module list).  If you use drush, just run “drush dl ga_login && drush en -y ga_login
  2. Check out the configuration screen at /admin/config/people/ga_login.  You can adjust the realm name or account suffix to change how it will appear in your Google Authenticator app.  It’s probably fine as is.  You can also adjust the skew for the time or HMAC-based authentication methods.  Basically, this adjusts how much leeway GA will give you in terms of submitting your code.  The default is 10, and should be fine.  Check the box to force uid 1 to log in with two-factor auth as well – this will force your primary admin account to use GA as well.  Then save your configuration.
  3. Now visit your user page at /user and click the GA Login tab.  Click the Get Started tab to get your authenticator URL.  Select the method you want GA to use – I just go with the time-based default – and click Create Code.  On the following page you’ll see a URL, account name and key, which you can manually plug into your GA mobile app to configure it for your site, or you can simply scan the URL embodied in the QR code you’ll see (easier!).
  4. After you have configured your mobile app, be sure to check the “I have successfully scanned the current code” checkbox and click Use This Code to finalize your settings in Drupal.

At this point if you log out, you should be challenged with an additional field on your login screen, labeled Code.  You’ll need to fire up your Google Authenticator app and enter the current code along with your login and password to get in.

Fear not!  If something terrible happens, you can always disable the ga_login module to get in with simply your username and password.  To do this with drush, run drush dis ga_login.

Google maintains a list of mobile apps you can use to run the authenticator here: