Backend user API
In TYPO3, backend users (BE users) are responsible for managing content,
settings, and administration tasks within the backend. They are stored in the
be_
database table and authenticated via the
Backend user object
stored in the global variable
$GLOBALS
(class
\TYPO3\
).
See also
- How to create and manage backend users: Backend user management.
- Security Guide: Users and access privileges.
- Backend user object
- Access control in the backend (users and groups)
- User settings configuration
- Be.security.ifAuthenticated ViewHelper <f:be.security.ifAuthenticated>
- Be.security.ifHasRole ViewHelper <f:be.security.ifHasRole>
- TypoScript condition [backend.user.isLoggedIn]
Sudo mode (step-up authentication) for password changes
New in version 12.4.32 / 13.4.13
This functionality was introduced in response to security advisory TYPO3-CORE-SA-2025-013 to mitigate password-change risks.
This mechanism prevents unauthorized password changes if an administrator session is hijacked or left unattended.
When an administrator edits their own user account or changes the password of another user via the admin interface, password confirmation (step-up authentication) is required.

Step-up authentication requires the administrator to re-enter their password
Note
This may pose challenges when integrating remote single sign-on (SSO) providers, as these typically do not support a dedicated step-up authentication process.
In such cases, you can use the PSR-14 events SudoModeRequiredEvent (triggered before showing the sudo-mode verification dialog) and SudoModeVerifyEvent (triggered before actually verifying the submitted password) to adapt the behavior.