How To Set Up WordPress Two Factor Authentication
More and more sites are using two-factor or multi-factor authentication to ramp up security. I mean, Google wants my cell phone number to confirm my identity before I can log into Gmail. And it’s a good idea. I mean, do you see how often hacking stories hit the mainstream news? Security (or the lack thereof) is a real problem and while you may not be able to prevent a big security breach like the one that happened at The Home Depot recently, you can do your part as an individual to protect your information and your site.
What is Two Factor Authentication?
As its name suggests, two factor authentication is a process that requires two sets of authentication before you’re logged into a site. Many big name sites currently make use of it in one way or another. I already mentioned Google, but sites like Twitter, Facebook, and Amazon use it, too.
The most common example of two factor authentication currently being used requires that you input your username and password as normal but before you’re logged in you have to complete a second step of confirming your identity on your cell phone or tablet, usually via a secondary app.
However, there are several other kinds of two factor authentication on the market. For instance, you might be required to input a specific personal identification number (PIN) along with the username and password. Or you might need to confirm a specific visual pattern before being granted access. Many banks use this form of authentication.
A fob is another popular choice for confirming identity before sign-ons. The fob (that you can easily attach to your keychain) displays a random series of numbers that you are then required to input into a text field on the site before you’re allowed to login.
While two factor authentication might feel like a new thing, rest assured it’s not. When you pay with a credit card, you often have to show your ID to the person behind the checkout counter. Or you have to input your zip code. Or if shopping online, you need to input the security code from the back of your card. So you see, it’s nothing new. But the application to website logins is sort of a new thing and that’s why more and more people have started asking about it.
Why Do I Need It?
As I mentioned in my opening paragraphs, two factor authentication adds another layer of security in a world where hacking has become commonplace. In short, you need it because you need to protect your personal information and your site from malicious people out there. And they are out there.
Brute force attacks occur constantly and unless you have your site secured properly, odds are good that a hacker will one day break through your defenses and steal your info, upload malware, or perform a whole host of other malicious acts.
Two factor authentication makes hacking your site harder. And unless you’re running a high-profile site, most hackers and bots are going to give up after a time when they can’t break in right away.
You want an even shorter answer?
Anything you can do to make hacking your site harder is worth doing.
A lot of people are reluctant to jump on the two factor bandwagon, however. Because in the process of improving site security, it makes the login process more complicated and more time-consuming. Arguably, it doesn’t take that much longer but there is a definite time factor involved here. You can always opt for the “stay logged in” option to reduce the number of times you have to go through the double authentication process in a given week, too, if it’s a major concern for you.
Know Your Options
You have several options for plugins that make setting up two factor authentication a snap. Let’s dive in, shall we?
Duo Two-Factor Authentication
The Duo Two-Factor Authentication plugin from Duo Security makes it simple to add two factor authentication to your WordPress site with minimal setup and minimal fuss. It works like this: install and activate the plugin on your WordPress site then download an app for your smartphone. From there, you can establish which users (or user roles) on your site require the use of two factor authentication.
On the user’s end, interaction with Duo is pretty seamless. After typing in your username and password you’re taken to a secondary screen that presents you with several options for verifying your identity. For instance, you can opt to confirm the mobile app. Once you select this option, a notice pops up on your phone and all you have to do is tap “Confirm.”
Another option is to use a one-time passcode that’s generated on the mobile app or sent to your phone via SMS. Other options include a phone callback and using a passcode generated by a hardware token. You’re not exactly starving for options with Duo Security and that’s one of the reasons I like it so much. And even though it does provide all of these options, it manages to do so without overwhelming you with them.
Clef is a personal favorite of mine as far as two factor authenticators go. This plugin takes a truly unique approach that seems like it would be intimidating on the surface but is really pretty darn easy to use. Once you install the plugin and the accompanying Clef app on your phone, you just need to go to the wp-admin screen on your site and select the “Log in with your phone” button.
From there, you’ll be asked to sync the “Clef Wave” with the app. The Wave is a moving bar code that appears on both your computer screen and within the app. Your phone will use the built-in camera to sync the wave. This verifies your identity without ever having to type in your password. Pretty neat, huh?
There is a little setup involved here, which requires choosing a PIN number within the app and connecting it with your WordPress accounts. From there, however, the process is simple. Just use the log in with phone option and you’ll be automatically logged into your site. You can use this plugin to log into all of your WordPress sites. And when you’re done, you can log out of them all at once, too.
Another option for adding two factor authentication to your site is Google Authenticator. This plugin adds the power of the Google Authenticator app to your WordPress site. Many people already use this app on their smartphones to enable two factor authentication on other applications and websites like Gmail and Amazon, so it would make sense to leverage this plugin for sheer convenience’s sake.
With this plugin, you can add two factor authentication for individual users, administrators, or as defined by specific user roles. There’s an app password feature built-in, too but that makes the app itself less secure, meaning your WordPress site would become less secure as well. It’s likely a much better idea to stick with the default authentication protocol here to maintain the highest level of security.
Two Factor Auth
If you’re just looking for a simple solution, Two Factor Auth might work out well for you. It works by creating a one-time password that you can input within a given period of time before it becomes invalid. These passwords are typically sent to your email address.
It also works with third party apps like Google Authenticator for an added layer of security. It relies on TOTP or HOTP for creating these one-time passwords, by the way. This lets you login using a code presented in the app (as described in the previous section). Generally, this is a simple way to add greater security to your site without having to do a ton of setup.
Authy Two Factor Authentication
Authy provides two factor authentication solutions across numerous platforms but it also has a free WordPress plugin you can use. Once installed on your site, you just just need to sign up for a free API key on the Authy site. Enter the API key into the plugin settings and you’re good to go. Your identity is verified via a text message to your cell phone.
It actually offers quite a few features. For instance, you can give users the freedom to opt-in to two factor authentication or as the administrator, you can force it on all users. Or, you might just want it to be required by those with specific user roles.
Two-Factor Authentication – Clockwork SMS
The last dedicated plugin I’m going to talk about here is called Two-Factor Authentication – Clockwork SMS. As you might’ve guessed by its name, this plugin works by sending a code to your phone via SMS when you try to login to your WordPress site.
You can set it up to work with specific user roles or individual users, if you’d like. You will need a Clockwork SMS account to use this plugin, however, along with some credit in said account. Yes, that means there’s a fee but you might find it worth it to add the convenience of text message login verification without the need of an external app.
A Part of a Broader Security Solution
Two factor authentication is often a feature included in security plugins. Because of that, you might opt for such a plugin since it’ll cover greater security territory than just an authenticator would alone. The thinking here is “why use two plugins when you can use one?” Actually, there are very good reasons to use a dedicated authenticator plugin by itself if you so choose, but if site speed is an issue for you or you simply want to keep maintenance to a minimum, an all-in-one solution might work better.
A few security and site management plugins that include two factor authentication are:
iThemes Security Pro
iThemes Security Pro covers numerous security features but it notably includes two factor authentication. Interestingly enough, it works in conjunction with Google Authenticator, too. You need to have this app installed on your phone then you can configure it with the iThemes plugin. So, you’ll login using your usual username and password then be asked to input a verification code that Google Authenticator automatically generates. This code will only work for one login and changes after 30 seconds.
Another option is ManageWP. Now, this isn’t exactly a security plugin but it is a WordPress management dashboard that lets you control multiple sites from one interface. You can install updates, schedule backups, and more across all of your sites at once.
For security purposes, you can use the built-in two factor authentication feature. This works by sending a verification code to your phone via SMS or by sending you an email. Either way, it’s a method of verifying your identity before being granted site access.
Wordfence is a robust security plugin that includes a variety of features to keep your site and its content safe. For instance, it conducts regular site checks to make sure your site isn’t infected. It also promises to make your site up to 50 times faster.
Two factor authentication is included as well. It’s referred to as cell phone sign-in, according to the plugin description, which is apt since the verification via SMS is what upgrades this from a standard login process.
Two factor authentication is becoming increasingly important for WordPress site owners. It provides an added layer of security that is more necessary by the day. Because I mean, let’s face it: hackers aren’t going anywhere. There’s always going to be someone out there trying to break into your site for one reason or another. Better to acknowledge that fact and prepare than to sit idly by and hope it doesn’t happen, right?
Hopefully, you now have a pretty good sense of how to set up two factor authentication on your WordPress site. If you have any questions, please feel free to ask them in the comments. Or if you’ve come across a different/better solution, I’m all ears!
Article image thumbnail by venimo / shutterstock.com