Case Study: Passwordless Authentication for Drupal with Beyond Identity Universal Passkey

6/22/2023 Jing Gu

Drupal is a content management system (CMS) that allows users to create and manage websites without any coding knowledge. It is one of the most popular CMS platforms in the world with over 1.5 million websites using Drupal.

Problem:

Beyond Identity uses Drupal for our CMS. However, the admin login to manage and maintain the company website used Drupal's out of the box password-based authentication. This had several drawbacks including:

  • Admins had remember complex passwords
  • Passwords were inherently insecure 
  • Employees managing the website were required to rotate passwords/use a password manager etc.

Additionally, since Beyond Identity is a security company, our employees were acutely aware of the security vulnerabilities of passwords and therefore eager to use our own technology. 

Solution:

Chris Rocha, our web developer, integrated Beyond Identity to implement passwordless authentication leveraging Universal Passkeys to protect admin access to Drupal.

Implementation

Total time from development to production deployment: <1 hour

Process

Chris first came across an internal guide published for the WordPress plugin and realized that it was simply relying on an OIDC service to function, a mechanism which could be easily replicated for Drupal. 

In order to use Beyond Identity passwordless authentication for Drupal, Chris went through the following steps:

  1. Configure a new Marketing Site Realm within his developer console (note: if you don’t have a Beyond Identity account, you must first create one to access your developer console)
  2. Configure a new application within the Marketing Site Realm
  3. Install the OIDC module to the Drupal website
  4. Configure the OpenID Connect Client with the Client ID, Client Secret, and Issuer URL generated during new application creation within the Beyond Identity developer console (step 2)

openid connect clients on drupal

  1. Copy and pasted authorization, token, and Userinfo endpoint from Applications
  2. Used OIDC module to configure the interface of the login form

Note: The module we used includes the ability to replace the existing form, insert the new button above the existing form, or insert the new button below the existing form. Since we didn’t need to keep passwords, Chris opted to replace the existing form all together with a single “Log in with Beyond Identity” button. 

  1. Tested implementation using Redirect URIs. You can use different Redirect URIs for testing within multiple environments including local and staging environments. 
  2. Send email enrollment links to website administrators via the developer console. Developers can also create users in the directory via our Identities API or sync users from their primary directory into Beyond Identity via SCIM.

Reflecting on the implementation process, Chris said, “It took me less than an hour to set up with no code needed. I never have to help reset a password again and the marketing website is much better protected because there’s no way for an attacker to steal a password to gain access.”

User Feedback

According to Chris, “Users have been happy to never have to remember a password again, understandably. Plus, it’s always a good idea to ‘eat their own dogfood’ so we can experience first-hand what the end-users experience. There have been no issues so far, and all feedback has been positive.”

Here's a UX demo video:

How to get started

To get started with the Beyond Identity Drupal plugin, you need to:

  1. Sign up for a Beyond Identity account
  2. Download a Drupal OIDC module to your website
  3. Configure your plugin using our Drupal plugin guide

Let us know in our Slack if you need any help or have feedback! Our product and engineering teams are here to answer your questions.