Product support

Get help in the plugin support forum.



This plugin adds Two Factor Authentication to the Backend of October CMS.

What makes this plugin better than others?

  • Each Secret Key is stored encrypted.
  • Actively Maintained by Van der Let & Partners (official October CMS partner).
  • User Friendly UI.
  • New features will be added frequently.

Supported Apps

Questions? Need help?

If you have any question about how to use this plugin, please don't hesitate to contact us at octobercms@vdlp.nl. We're happy to help you. You can also visit the support forum and drop your questions/issues there.

If you love this quality plugin as much as we do, please rate our plugin.

Users can be forced to set up 2FA in the sign in process.

After installing the plugin, go to My Account to enable Two Factor Authentication.


  • October CMS 3.0 or higher
  • PHP 8.0.2 or higher


To configure this plugin execute the following command:

php artisan vendor:publish --provider="Vdlp\TwoFactorAuthentication\ServiceProvider" --tag="config"

This will create a config/twofactorauthentication.php file in your app where you can modify the configuration.

  • Found the plugin useful on 13 Aug, 2022

    Install it, and enable 2FA for your backend account. As easy as it sounds. Great job!

  • Found the plugin not useful on 15 Sep, 2021

    Doesnt work for latest October.

  • author

    Replied on 15 Sep, 2021

    Hi Robert,

    An update for this plugin is still in the works. Don't expect us to have an update available immediately since October CMS 2.1 (stable) is released not very long ago. We have a lot of plugins to manage, so it will take some time to test them all properly.

    If you have purchased this plugin, I can provide you with a nightly build which will work with October CMS 2.x in the meantime.

    Please contact us at octobercms [at] vdlp [dot] nl and we are happy to help you!

  • Found the plugin useful on 30 Nov, 2020

    Hi, we're gradually rolling out this plugin for all of our clients. It would be nice to be able to force users to set 2FA upon next login (maybe with a kind of grace period). Can you please let us know if this is in the roadmap for this plugin? Thanks in advance for your response.

  • author

    Replied on 2 Mar, 2021

    Hi Maarten, thank you for reaching out to us. We have added this feature recently. We'd like to thank you for participating on testing this feature. It has now included since version 2.0.0. If anyone has ideas, suggestions or issues please contact us at octobercms [at] vdlp [dot] nl.

  • Found the plugin useful on 29 Mar, 2019

    It works but for some reason I'm only able to add authentication to one of the two admin accounts.

  • author

    Replied on 1 Apr, 2019

    Users must enable 2FA for themselves. Since v1.3 administrators are able to disable 2FA for users if they have lost their device or security code.

  • Found the plugin useful on 27 Feb, 2019

    Super easy plugin, does what it should, and is very easy to implement.


Change disabling 2FA of other backend users.

Nov 30, 2023


Prevent unnecessary `Registering Intended Uri` logs to `/backend`.

Sep 29, 2023


Several additions, improvements and fixes -- see CHANGELOG.md

Jun 01, 2023


Improve redirection logic after successful verification.

Mar 09, 2023


Update French translation.

Feb 20, 2023


Security improvements -- see CHANGELOG.md

Dec 16, 2022


Security improvements -- see CHANGELOG.md

Dec 15, 2022


Improve UI for October CMS 3.x

Nov 30, 2022


Maintenance release -- see CHANGELOG.md

Sep 23, 2022


Fix redirect loop when accessing Sign In page when backend user is signed in.

Jun 02, 2022


Fix implementation of backend.force_remember configuration.

May 25, 2022


Add October CMS 3.x to supported versions.

Apr 12, 2022


Fix reading logging_enabled configuration parameter.

Feb 03, 2022


Fix form button types.

Dec 10, 2021


Add configuration option for disabling logging.

Dec 10, 2021


Replace usage of `cms.backendForceRemember` (OC 1.x) with `backend.force_remember` (OC 2.x)

Nov 02, 2021


Fix missing usage of `force_all_super_users` configuration parameter.

Oct 05, 2021


Fix redirects while intercepting login

Sep 23, 2021


Extended logging and code improvements -- See CHANGELOG.md

Sep 22, 2021


Drop support for October CMS 1.x

Sep 20, 2021


!!! Add support for PHP 7.4 and higher

Jul 13, 2021


Fixes typo in Configuraton section in README file.

Mar 03, 2021


Fixes two important issues in authentication flow -- See CHANGELOG.md

Feb 23, 2021


Add support for forcing 2FA set up after authentication -- See CHANGELOG.md

Dec 31, 2020


Remove the autocomplete attribute from the OTP field. Prevents storing OTP in browser cache.

Aug 18, 2020


Upgrade dependency `libaries pragmarx/google2fa` and `endroid/qr-code`.

May 26, 2020


Fix redirect issue when cms.backendUri is empty.

May 26, 2020


Allow disabling 2FA for users as superuser (superuser must have 2FA enabled).

Jan 23, 2020


Fix issue with login screen not showing up

Jun 21, 2019


Add 2FA column to user list

Jan 18, 2019


Fix invalid method call

Nov 07, 2018


Improve security by generating the QR-code on server (instead of Google Charts API).

Nov 02, 2018


First version of Vdlp.TwoFactorAuthentication

Oct 12, 2018