Two-Factor Authentication

What it does

Two-Factor Authentication adds TOTP-based two-step verification to OJS 3.5, protecting user accounts from unauthorized access.

After enabling the plugin, an administrator selects which roles require 2FA (e.g., editors, authors, reviewers). Users with a required role are guided through setup on their next login.

How setup works

1. Scan a QR code with any authenticator app (Google Authenticator, Authy, Microsoft Authenticator, 1Password)
2. Confirm setup by entering the 6-digit code from the app
3. Receive 10 one-time backup codes for emergency access

From that point on, every login requires a code from the app in addition to the password.

Key features

• Per-role enforcement — administrator decides which roles require 2FA (Site Admin, Editor, Author, Reviewer, etc.)
• Backup codes — 10 one-time codes with automatic email warnings when used
• Security tab in profile — users can reconfigure 2FA or regenerate backup codes (after verifying current code)
• Smart reviewer handling — reviewers invited via token link aren’t blocked by the 2FA requirement
• Admin reset — search any user and reset their 2FA from the plugin settings panel
• Sitewide — works globally across all journals on the OJS instance
• Email notifications — system alerts when backup codes are used or regenerated

Requirements

• OJS 3.5+
• Any TOTP authenticator app on the user’s phone