Two-factor authentication is a security method for website logins. It doesn’t replace a password or passphrase, it’s used along with them as an additional layer of verification. You’ve probably seen and used two-factor authentication (also known as 2FA). If your bank or other site sends you a code via text that you need to use to log in, that’s 2FA.
Text messages aren’t the only way to use two-factor authentication. Email confirmation can also be used. But it isn’t a very secure form of protection, since email passwords can also be compromised.
There are technically advanced biometric methods, like using fingerprints or the irises of your eyes. Those kinds of technologies are expensive and aren’t readily available for small website owners.
Finally, there are app-based 2FA methods. Easy to implement and use, they’re the perfect solution for most of us. So that’s what we’re going to talk about in this tutorial.
It’s certainly possible to set up your own text or SMS-based two-factor authentication, and it’s not overly complicated. But the services that provide the SMS part of the equation add a cost to the messages. Unless your 2FA usage covers hundreds, or thousands, of logins daily, it’s easier (and cheaper!) to use an app-based method.
In a minute, we’ll talk about how to set up WordPress two-factor auth, making your blog or website more secure.
Like It or Not, Passwords Rule Our Lives
If you’re old enough to remember life before the internet, you probably remember having a single password: your ATM PIN. That’s all you had to memorize to get through life. A short string of numbers.
Things have changed very quickly, of course, and now our lives seem to revolve around passwords. And since most application developers don’t understand the superior security of passphrases, we’re saddled with ever more complex password requirements.
And here’s the biggest irony of all: most passwords aren’t compromised by “cracking,” they’re stolen out of insecure website databases. Meaning the hacker doesn’t get your password by targeting you, they get it by targeting the websites you use.
So you can use secure web hosting, and you can use the world’s most complex passwords or passphrases, but they can still be lifted from a database. So what good are they?
Two-Factor Authentication to the Rescue (Kind Of)
How does two-factor authentication lessen the problem of password insecurity or theft?
It increases security by adding your phone (or email) to the login process. You supply your username and password as usual, but then you have to enter a 2FA code. The code is sent to or generated by your phone.
Now if someone has your username and password, they can’t log in to your account unless they also have your phone.
Which is the solution, but also a problem if you lose your phone. 2FA can’t protect you if someone else has your phone, so a phone thief could get into 2FA-protected accounts. And a lost or damaged phone will keep you out of 2FA-protected accounts.
So two-factor authentication isn’t foolproof, but it’s a very effective step to take for everyday security—that, and not letting your phone out of your sight.
There are a few good plugins for WordPress two-factor authentication. We’ll install the simplest of the bunch, 2FAS Light. It works in tandem with Google Authenticator, which is available for Android and iPhone.
Not a Google fan? It also works with other mobile applications like Microsoft Authenticator, Authy, Free OTP, 2STP, OTP Auth. Any authenticator that generates tokens can be used. “Token” is just another word for the six-digit code the authenticators use.
Installing the 2FAS Light Plugin
Log in to your WordPress admin panel.
In the left column navigation, mouse over the “Plugins” link and click the “Add New” link.
In the “Search plugins…” box, enter, “2FAS Light.”
When you find the plugin, click the “Install Now” button.
Now the plugin is installed, but it has to be activated before you can use it.
Click the “Activate” button.
That’s all there is to it.
Configuring and Using 2FAS Light
Now you have to pair your WordPress site and your phone. But that’s easier than it sounds.
In the left column navigation, click the “2FAS Light” link.
The first thing the plugin will tell you to do is download an authenticator app. I mentioned (and recommend) the Google authenticator, but any of the listed apps will do the job.
Move on to step 2, which generates a QR code that your authenticator app can read.
Open the authenticator app on your phone and choose to add a site. I would screenshot the Google Authenticator steps for you, but the Android security policy won’t allow for screenshots of Authenticator. That’s good!
Now in WordPress, click the “Show QR Code” button.
That will generate the code.
Now with the authenticator app on your phone, capture the QR code shown in WordPress. That should add your blog to the app, and it will start generating codes right away.
That takes us to step 3. Here you’ll enter the six-digit code generated by the authenticator app.
The codes change every 60 seconds, and if you enter an expired code it will fail. If the authentication app timer is counting down the last few seconds, wait for a new code to be generated.
Then click the “Add device” button.
That’s it, two-factor authentication is enabled.
The standard WordPress username and password login remains, but after you enter those, there’s a new step.
Just enter a code from your authenticator app, and you’ll be in.
That’s it. You’ve set up 2FA in WordPress. It’s about the best investment of time you could make where the security of your WordPress site is concerned.
Turning Off Two-Factor Authentication
You can disable two-factor authentication by clicking the “Turn off two-factor authentication” toggle.
Forcing a User to Re-Authenticate on Next Login
If you checked “Remember device” when entering your auth code, you’ll see an entry in the “Trusted devices” section.
You can click the “Remove” link to force authentication on the next login.
What Happens if You Uninstall the 2FAS Light Plugin
If you uninstall the plugin, your WordPress login will revert to username/password only. If you choose to re-install the plugin later, you’ll have to pair the phone with the plugin again.
The Truth Is, Two-Factor Authentication Is a Bit of a Pain to Use
Yes, it’s less convenient than a username and password alone. You need your phone nearby to log into 2FA sites. You have to get your timing down to avoid entering expired codes.
But every time I feel like 2FA is slowing me down, I remember what it’s doing for me. That it would frustrate and defeat anyone trying to gain access to my accounts. When I consider that, I no longer feel inconvenienced. I just feel protected.
Is it perfect?
Well, if you aren’t in the habit of losing or destroying your phone, it is kind of perfect. 😉 In any event, it’s the most perfect (free) solution available to most of us. And that makes it worth using.
Are you annoyed by using two-factor authentication? Do you feel your website administration is safer with 2FA in place?
I’d love to hear from you. Let me know in the comments.
Author: Michael Phillips
Michael Phillips is a web hosting industry veteran, helping people make the most of their web presence since 1995.