Security & User Management in Statamic 6 — What’s New and Why It Matters
Statamic 6 strengthens its security foundation with built-in 2FA, smarter roles, and elevated sessions — giving developers and teams better protection by default.
Statamic has always been known for its elegant simplicity and developer-friendly approach.
With version 6, the CMS takes a big step forward in one crucial area: security and user management.
This release focuses on bringing protection features that used to rely on add-ons into the Statamic core, making them easier to manage and maintain. From built-in two-factor authentication to improved roles, impersonation, and session handling — Statamic 6 lays the groundwork for a safer and more flexible CMS experience.
Two-Factor Authentication in the Core
One of the most notable additions in Statamic 6 is Two-Factor Authentication (2FA), now built directly into the core.
Previously, this was handled through the community add-on “Two Factor for Statamic” by Mity Digital, which will no longer be needed or maintained for version 6.
According to the Statamic 6 documentation:
- Users can enable 2FA from their profile by scanning a QR code and using a TOTP app such as Google Authenticator or 1Password.
- Recovery codes are provided in case the user loses access to their authenticator app.
- 2FA can be optional or enforced per role through configuration (
two_factor_enforced_roles). - All secrets and recovery codes are encrypted using the application key (
APP_KEY).
This makes 2FA a first-class feature that works out of the box, reducing dependency on third-party code and improving overall security consistency.
User Impersonation and OAuth Logins
Statamic 6 introduces several improvements for managing users and authentication workflows.
Impersonation
Administrators can now impersonate another user directly from the Control Panel.
It’s a practical way to test permissions, troubleshoot issues, or preview how a site looks to a specific role — without juggling multiple logins.
Access to this feature is governed by a dedicated permission and can be configured via config/statamic/users.php.
OAuth Logins
Statamic 6 also adds OAuth support via Laravel Socialite.
You can allow users to sign in with providers such as Google or GitHub, simplifying authentication for larger teams or enterprise setups where Single Sign-On (SSO) is preferred.
Elevated Sessions
As previewed in the Statamic 6 Sneak Peek, the new Elevated Sessions feature introduces an extra security layer for sensitive actions.
When performing operations like changing user settings or managing roles, Statamic can ask you to re-enter your password — even if you’re already logged in.
It’s a small but meaningful improvement that prevents unauthorized changes, especially in shared or collaborative environments.
Sessions, Tokens, and Authentication Hooks
While some features are still evolving, version 6 builds on Laravel’s mature authentication framework to introduce:
- Improved session handling, with the ability to manage or revoke individual sessions.
- API tokens powered by Laravel Sanctum, enabling secure integrations with external applications.
- New events and hooks for login, logout, and password reset actions — useful for adding custom logging or security rules.
Together, these changes bring Statamic’s authentication system closer to Laravel’s best practices while keeping it simple to extend.
Why This Matters
These updates aren’t just technical niceties — they strengthen how teams build and maintain secure sites.
| Audience | Benefit |
|---|---|
| Agencies and administrators | Fewer third-party add-ons to maintain, with stronger defaults |
| Developers | Cleaner APIs and hooks for integrating custom security logic |
| Editors and clients | Better protection without additional setup or friction |
By moving essential features like 2FA and session management into the core, Statamic 6 helps teams focus more on building and less on patching.
What’s Still Evolving
Because version 6 is still under development, some areas are expected to change before the stable release:
- The exact interface for session and token management is still being refined.
- Full audit logging (“who changed what”) is not yet part of the core but may appear later or through add-ons.
- 2FA relies on consistent encryption keys — if staging and production use different
APP_KEYs, syncing users may cause issues. - The UI for managing 2FA and security settings will continue to evolve during the beta phase.
Even so, the direction is clear: Statamic 6 makes secure workflows the default.
Closing Thoughts
Statamic 6 doesn’t reinvent authentication — it refines it.
By integrating Two-Factor Authentication, OAuth logins, and Elevated Sessions directly into the platform, it provides a solid foundation for agencies, developers, and clients who care about security without sacrificing ease of use.
I offer hands-on consulting to help you resolve technical challenges and improve your CMS implementations.
Get in touch if you'd like support diagnosing or upgrading your setup with confidence.
