If you manage an academic journal on Open Journal Systems, security should be a top priority. OJS installations are increasingly targeted by hackers — from spam injections and SEO hijacking to unauthorized access to editorial accounts. A compromised journal doesn’t just lose data; it loses credibility.
The single most effective step you can take? Enable two-factor authentication (2FA).
Why OJS Journals Are Vulnerable
OJS is used by over 40,000 journals worldwide. That popularity makes it a target. Common attack vectors include:
- Weak passwords — editors and reviewers often use simple passwords, especially when managing accounts across multiple journals
- Shared accounts — some editorial teams share login credentials, making it impossible to track who did what
- Outdated installations — many journals run older OJS versions with known security vulnerabilities
- No brute-force protection — OJS doesn’t limit login attempts by default
A single compromised admin account can give an attacker full control over your journal — published articles, reviewer identities, submission data, and editorial decisions.
What Is Two-Factor Authentication?
Two-factor authentication adds a second step to the login process. After entering a password, users must also provide a one-time code from an authenticator app (like Google Authenticator, Authy, or 1Password). Even if someone steals a password, they can’t log in without the code.
The industry standard for this is TOTP (Time-based One-Time Password), the same technology used by Google, GitHub, and virtually every major platform.
Does OJS Support 2FA Natively?
No. OJS has no built-in two-factor authentication. It relies on simple username/password authentication, with optional LDAP integration for institutions that use it.
This means you need a plugin.
Setting Up 2FA on OJS
The Two-Factor Authentication plugin for OJS adds full TOTP-based 2FA to your journal. Here’s what it offers:
Role-Based Enforcement
Not every user needs 2FA. A reviewer who logs in once to submit a review has different security needs than a journal manager with admin access. The plugin lets you choose which roles require 2FA:
- Site Administrators — always recommended
- Journal Managers — highly recommended
- Editors and Section Editors — recommended
- Authors and Reviewers — optional, depending on your security policy
Trusted Browsers
Requiring a code on every login can be frustrating, especially for editors who log in daily. The trusted browser feature lets users mark their devices as trusted for a configurable number of days. They’ll only need the code again after the trust period expires or when logging in from a new device.
Backup Codes
If a user loses their phone or changes devices, backup codes ensure they’re not locked out. Each user receives a set of one-time backup codes during setup that can be used instead of the authenticator code.
Smart Reviewer Handling
External reviewers often have minimal interaction with your journal — they log in, submit a review, and leave. Forcing them through 2FA setup can create friction and delay reviews. The plugin handles this gracefully, allowing you to exempt reviewer-only accounts from 2FA requirements.
Admin Controls
Journal managers can:
- View which users have 2FA enabled
- Reset 2FA for users who lose access to their authenticator
- Monitor 2FA adoption across the editorial team
Beyond 2FA: Other Security Measures
Two-factor authentication is the most impactful single change, but good security is layered:
- Keep OJS updated — install security patches promptly
- Use HTTPS — enable
force_ssl = Oninconfig.inc.php - Strong passwords — enforce minimum password requirements
- Regular backups — daily database and file backups, stored off-server
- Limit admin access — only give Site Admin or Journal Manager roles to people who truly need them
- Install plugins from trusted sources — only use plugins from the PKP Plugin Gallery or verified developers
Getting Started
The Two-Factor Authentication plugin installs in under 5 minutes — upload the ZIP through the Plugin Gallery, enable it, and configure which roles require 2FA.
Your editorial team will be guided through the setup process on their next login, with clear instructions for scanning the QR code with their preferred authenticator app.
Don’t wait for a security incident. Protecting your journal’s integrity and your contributors’ data starts with a single step.