Security, Reliability and Compliance

Introduced in version 9.2

Security has always been one of TYPO3’s top priorities and as we know, hardening the security of a system is an ongoing process.

TYPO3 stores various files in the “var/” directory, which is typically located under “typo3temp/var/”. Some of these files are for example Install Tool session files, caching framework files, files related to locking or logging, Extension Manager data files or files generated by TYPO3’s import/export or core update functions. Despite the fact that a properly configured web server and TYPO3 instance prevents accessing any sensible files in the “var/” directory, it is obvious that these are non-public files, which should better be located outside the web root.

As part of the ongoing effort to enhance the security of TYPO3 even further, the path to the “var/” directory can now be configured as an environment variable TYPO3_PATH_APP. The following configuration directive can be used by the Apache web server for example:

SetEnv TYPO3_PATH_APP /var/www/example.com/

This would instruct TYPO3 to create and use directory “/var/www/example.com/var/” whereas the web root should be “/var/www/example.com/htdocs/”. If the environment variable is not set, non-composer installations of TYPO3 continue to use “typo3temp/var/” as the default. Composer-based installations benefit from this functionality directly, as data is stored within the project roots' folder under “var/”.

Documentation

Introduced in version 11.1

When you log in to the backend of TYPO3, you control a wide range of functions. Depending on your level of access, you can edit the contents of your company’s online presence, change business-critical data, or access highly sensitive user information. This great power needs to be protected so that only you have access to it.

Sometimes, a user name and password is just not secure enough. Multi-factor authentication (MFA) addresses this by adding a second factor to the login process or even multiple factors. The use of two factors is also referred to as two-factor authentication (2FA). When implemented correctly, MFA makes it significantly more difficult for an adversary to gain unauthorized access. That’s why MFA is considered one of the most effective security measures in information systems today.

When introducing an additional authentication method, it’s important to consider the user experience. If the login process becomes too cumbersome and complicated, users don’t configure it and miss out on an increased security level.

With our users at front-of-mind, we implemented a modern, secure, easy-to-use, and flexible MFA solution in TYPO3 version 11.1. You could say: "Your key to the galaxy!"

Once an administrator has activated an MFA provider, backend users can use it as a second authentication method for their login process. Typical providers are, for example, time-based one-time password (TOTP), counter-based one-time password, or WebAuthn. WebAuthn is a state-of-the-art web standard published by the World Wide Web Consortium (W3C) and supported by modern versions of Chrome, Firefox, and Edge browsers.

Following our promise to let TYPO3 site owners customize as many aspects of an instance as possible, the MFA implementation in TYPO3 allows developers to create additional providers. Check out the working examples “mfa_yubikey” (by Torben Hansen), “mfa_hotp” (by Oliver Bartsch), and “mfa_webauthn” (by Benjamin Franzke).

Documentation

Introduced in version 11.0

If you’re an extension developer whose code uses an authentication component, you are encouraged to keep an eye on related PHP classes—for example, the class  “AbstractUserAuthentication” which received a software redesign in preparation for the multi-factor authentication (MFA).

See:

• https://docs.typo3.org/c/typo3/cms-core/master/en-us/Changelog/11.0/Breaking-92989-AbstractUserAuthentication-loginFailureRemoved.html
• https://docs.typo3.org/c/typo3/cms-core/master/en-us/Changelog/11.0/Breaking-92990-AbstractUserAuthentication-svConfigRemoved.html
• https://docs.typo3.org/c/typo3/cms-core/master/en-us/Changelog/11.0/Breaking-92997-Authentication-relatedHTTPCacheHeadersAreEmittedOnlyByPSR-15Middlewares.html
• https://docs.typo3.org/c/typo3/cms-core/master/en-us/Changelog/11.0/Breaking-93047-RemovedPropertySendNoCacheHeadersInAbstractUserAuthentication.htm

Documentation

Introduced in version 10.4

Another notable new feature in TYPO3 v10 LTS is the “password recovery” function for backend users. Previously, administrators created backend user accounts and assigned passwords. They then had to provide the users with their access details. The same applied to cases where users forgot their passwords. From a security perspective, this is not considered state-of-the-art anymore. Administrators should not need to deal with user passwords at all.

In TYPO3 v10 LTS, administrators can trigger a password reset for users in the TYPO3 backend. Backend users are now also able to request a password-reset email in a secure way.

To ensure a high standard, we have built a number of security features into this function.

• No information about existing users is disclosed.
• The link in the email is only valid for a limited time.
• There is a rate limit on how often a recovery email can be requested.

On systems that have special security requirements, the function can also be deactivated for administrator accounts. Alternatively, the function can be completely disabled for all users. This may become relevant in installations with third-party integrations such as LDAP or OAuth.

Documentation