Craft CMS recently released the most significant update to the platform in history, Craft 5, focusing on a modernized control panel, enhancements to the authoring experience, and ambitious improvements to content modeling. With all the updates packed into the latest version, it’s easy to overlook the significant security enhancements that Craft 5 delivers.
It is always a worthwhile investment to keep your Craft CMS website and plugins updated to avoid the considerable cost of website neglect. But Craft 5 goes further, incorporating new features to make your site more secure.
Security improvements in Craft CMS 5 include two-factor authentication (2FA) and the addition of fingerprint and facial recognition passkeys for a streamlined and more secure login process.
Two-Factor Authentication and Passkeys
Many of our clients, especially those in the healthcare sector, choose Craft CMS in part due to its security features. Two-Factor Authentication (2FA) is often at the top of the list of requirements because it forces users to provide two forms of identification when logging into the backend of the website (called the “control panel” in Craft). Typically, these identifiers are something they know (like a password) and something they possess (like a mobile device). In Craft 5, this is implemented through time-based one-time passwords (TOTP), where users enter a temporary code generated by an authenticator app after inputting their password.
{Quote: User accounts just got a HUGE security upgrade for Craft 5, with 2FA and passkey support. — Brandon Kelly, Founder & CEO of Craft CMS}
Craft CMS 5 supports 2FA while introducing a layer of ease-of-use through passkeys, offering our clients robust protection without disrupting their workflow. Passkeys represent the future of authentication by eliminating passwords while maintaining a high level of security. If you own a modern smartphone, you're likely familiar with using fingerprint or facial recognition to access your device. This method enhances security by eliminating password-based vulnerabilities (like using your pet's name or your child's birthday), while also improving the user experience by streamlining the entire process.
Like all things Craft, the CMS excels at delivering everything you need with thoughtful implementation of security features. Two-factor authentication (2FA) can be required for login, either for all users or specific user groups, and administrators can easily manage this through the Craft control panel. Users can set up 2FA with a simple QR code scan. Passkeys are available by default, utilizing the Web Authentication API (WebAuthn). Users can leverage native functionality, like Touch ID on a MacBook Pro or Face ID on an iPhone, to create and use their passkey, enhancing both security and convenience.
The Risks of Outdated Websites
Though these feature enhancements make Craft CMS 5 the most secure version ever released, there are also substantial benefits to keeping your Craft website up to date regardless. Often the consequences of an outdated website are not immediately apparent, but they can expose your site to potentially catastrophic security vulnerabilities. We know this because we inherit many Craft CMS websites that have been neglected for too long and require extensive investment to get back up to speed.
The cost of maintaining an up-to-date website is significantly lower than the time and financial burden caused by security breaches, poor performance, and functionality failures.
{Learn more about the costs of website neglect. Website Neglect is Costing You}
Upgrading to Craft CMS 5
Are you ready to upgrade to Craft CMS 5? We recently updated our own website from Craft 4 to 5, and the process proceeded relatively smoothly. Additionally, we were able to eliminate plugin dependencies.
For a detailed walkthrough of our upgrade experience, including tips on handling plugin migrations and post-upgrade optimizations, read about our experience in Upgrading the Mostly Serious Website to Craft 5.