Two Factor Authentication for WordPress

Illustration

Beside getting HTTPS working, probably the most important security feature you can get for free on WordPress is two factor authentication.

How does two-factor authentication work? In addition to your usual user name and password, you get to enter a 6-digit number changing every 30 seconds or so. Since that number is based on a key only you should know, you can consider it as another password. However, due to its constant change nature, anybody snooping only gets to know your login for next 30 seconds or so. After that time has passed previously captured code becomes useless. Two factor authentication essentially makes fact your password is known irrelevant.

It is not a fool-proof protection - somebody can just steal your key in addition to your password. However, since key itself is never transmitted over wire, it makes things considerably more difficult for attacker. And it will definitely make common every day non-targeted password attacks irrelevant.

Even if you run without HTTPS (which I don’t recommend) and you have to login over public wireless (scary!) this will keep anybody snooping from getting full account details he might need to login. Yes, there is possibility of somebody using your authentication cookie but, as long as you logout, you can rest assured that nobody can login after you. In a plain-text world there are many other attacks somebody might try against you but two factor authentication closes the most obvious doors.

I personally use Two Factor Auth plugin for this purpose. Although it officially doesn’t support WordPress 4.1 I found it works perfectly fine. Installation is WordPress-simple and by default you will get a pretty usable system of getting codes mailed to your users when they attempt login.

However, each user gets an opportunity to enable “third party” delivery type. That will give QR code you just scan into e.g. Google Authenticator and you mobile phone can generate codes every time you need them. System of generating these codes is completely standardized and I am sure you can find your favorite application - whether is on desktop, mobile phone, or even a watch.

It is a small change that will help security a lot.

PS: If you have Google mail and two-factor authentication is not enabled, what are you waiting?