Two Factor Authentication (2FA) on Standfirst

Two factor authentication is an important security measure

Starting from August 2023, we've been rolling out 2FA to our client Standfirst sites for all important users - admins, site owners, and editors.

You can optionally enforce this for all users at any level.

By default, when two factor authentication is activated, we use your email account as the primary second factor. You login as usual with your user id/email and password. The system then emails you with a six digit code and asks you to enter it. The platform also supports using the TOTP (Time-based One Time Password) standard which means you can use apps like Google Authenticator, Authy or Microsoft Authenticator, as well as the TOTP tools built into password managers like Bitwarden.

On top of that, you can use physical key based authentication such as Yubikeys.

Default operation

When you first login, you will follow the usual process, using the login screen:

Enter your details and press Enter of click on Log In

You will now be presented with the 2FA screen:

By default you will be set up with an email based 2FA policy. If you visit your email account you'll now see this:

Copy the code and paste it into the box marked Verification Code. If the code is corrected you do not need to hit enter and you will be logged in. If the code is incorrect, it may be that the code has timed out and you need to try again.

Setting up your 2FA options

Setting up 2FA is straightforward and quick.

Visit your profile page once you've logged in by following the Users | Profile menu:

Scroll down and you will see some options.

The workflow for each system is a little different.


This method is the default and the simplest method. Your email account that you use to access Standfirst is emailed a short verification code that you must paste into the challenge window:

Time Based One-Time Passwords

Similar to the codes sent by email, but these are generated by a device, usually a software app on a phone. You can use a mobile phone Authenticator app for Time Based One-Time Passwords such as Google Authenticator, Authy, or Microsoft Authenticator, available in your app stores. 

When you select this option, or ask to regenerate one, your Two-Factor Options will look the following:

In your Authenticator app, scan the QR code generated (not the one above!) or type in the key to start generating your codes. When you login, you'll be able to choose to use this type of code.

FIDO U2F Security Keys

These are physical keys that you can use with NFC or USB to authenticate your identity on systems. To add a key, scroll down to "Register New Key" and press the button. It will then circle around until it has read and validated your key. Once done, you can maintain your list of Keys.

Backup Verification Codes

If you have an ability to safely store backup codes, you can generate a set of backup codes. You should keep these somewhere safe, but they add the facility to log in should you lose your device.

A code can only be used once.

Changing and enforcing policy

If you have a specific need to enforce a certain 2FA policy for classes of Standfirst users, for example, having a tighter policy for admins and site owners, but a simpler one for authors, please contact your developer - these have to be defined by your developers.