Multi-Factor and Two-Factor Authentication For WordPress – Shield

By 4th April 2017 April 7th, 2017 News, WordPress Security

Two-factor authentication (2FA) is a one of the best ways to secure account access – for any platform, WordPress included.

1 extra piece of information alongside your account password goes a long way. It reduces vulnerability to a category of issues that surround account integrity.

Shield Security has integrated easy-to-use two-factor authentication (2FA) almost since we started it. By forcing users to confirm their identity we lock-down WordPress account access to the verified account owners only.

We started with email two-factor authentication – is email the most secure ever? No, but that’s not an issue.

You see, 2FA isn’t designed to offer the most secure account access EVER. Instead, it presents an extra obstacle, another layer of complexity, to unauthorised account access.

Different approaches to 2-Factor Authentication

As with anything on the internet, there are a lot of opinions on the “best” 2FA method to use.

So which approach actually is the best?  That doesn’t matter. What matters more is that you have one.

A better question to ask is: which one am I most likely to use?

i.e. how can we get as many people to use 2FA, such as email or Google Authenticator, without screwing them over. (I’ll come back to this a little later)

Here are just some of the methods:

  • email
  • Google Authenticator
  • Google Prompt
  • Authy
  • Duo
  • SMS
  • Push(over)
  • Yubi(key)

Again, everyone on the Internets has an opinion on each of these. You’ll hear people decry SMS and email as insecure. But again, moving yourself to use 2FA more and more is about getting a system that works for you.

Here’s a simple challenge to illustrate. Which the most secure login method?

  1. password only
  2. password + email-based two-factor authentication (requires little or no setup)
  3. password + Google Authenticator (that you never bother to setup because it’s got too many steps or it’s burnt you in the past)

It’s a tricky one, I know, but take your time.

I hope you understand the point we’re trying to make. It’s more important to use at least 1, than to not use any.

How to add Two-Factor Authentication to WordPress

Our Shield Security plugin offers 3 different types of 2-Factor Authentication:

  1. Email (after you login, you’ll get an sent to your account with a code / link to use to complete the login)
  2. Google Authenticator – you’ll use an app that generates a random code which you use to login
  3. Yubikey – like the other 2 methods, but uses a hardware device that generates the code

With version 5.8.0 of Shield Security we’ve completely rewritten how 2FA works. Before now, we’ve been adding elements directly to the WordPress login screen.

Now you will be presented with a brand new screen that asks you for your authentication codes. The user provides all (or just 1) of their codes to complete their login.  This gives us a few great wins, such as:

  1. Smoother UX – Shield presents the authentication screen if, and only if, the user has 2FA enabled.
  2. Smoother UX x 2 – Shield presents only the multi-factor authentication field that the user has activated.
  3. Better compatibility – we reduce dependency on the WordPress login screen. This meanings we’ll work better with 3rd party login forms, and you’re less likely to run into issues.
  4. Easier Extensions – we can now easily add more authentication methods without cluttering up the WordPress login screen.

Two-Factor, or Multi-Factor?

When logging into anything, your 1st “factor” is your password.  If you’ve setup email authentication, then the code/link in your email is your 2nd factor.

If you use email authentication and then add Yubikey, you now have “Multi-Factor” Authentication.

The more “factors” you add, the more secure your account access. If someone gets your password, and even access to your email account, but you also have Google Authenticator, you’re still safe!

Shield Security supports both two factor or multi-factor authentication. You can enable ‘Email’, ‘Yubikey’ and ‘Google Authenticator’ on your user accounts and have the option to chain them together.

Whether you decide to chain them to create Multi-Factor authentication, or not, is up to you. But your pay-offs are usability and user management in the form of managing the cases where users lose access to one of their login factors.

When Google Authenticator screws you over

How can a 2FA system make your life a misery? Simple – when you lose your ability to generate your 2FA codes.

How can this happen? So imagine you use the Google Authenticator app on your phone to save your codes.  But what happens to your codes when:

  • your phone crashes and it needs to be reset
  • your accidentally delete the wrong account from the app
  • you drop your phone into your pint
  • … < insert catastrophe here >

The answer is, you’re locked out of your account. To get around this, you need backups of your Google Authenticator codes – we recommend using an alternative – Authy App.

Question or Comments?

If you have any questions or comments for us, please let us know in the comments below.

Join the discussion 6 Comments

  • Liz Lashes says:

    Two-factor authentication secures users account from the cyber criminals. Thank you for explaining the concept and steps to enable the solution on a WordPress website. It should be great of you mention some more 2FA plugins.

    View Comment
  • Borris says:

    Is there a way to set up different ways to authenticate a person trying to get into their wordpress site? Lets say I want the most secure way possible for myself to log into my website. I have a username and password and use Authy as 2FA. Authy only gives me 30 seconds to submit a code before switching it up. Thats easy enough for me to do, but what if I have a developer across town that needs to get in, and I want to make sure they need me to grant them access to get in? I cannot give them that Authy code fast enough. Can I set it up for them to get in with the email code that is sent out? Would I need to have multiple administrators on the account and have different methods of getting in?

    View Comment
    • Paul G. says:

      The Shield Security plugin doesn’t support this sort of multi-factor authentication setup. I guess if you’re sharing user accounts – and I can’t think of a good reason for that, then you could have a shared email address perhaps. Other than that, not sure what to suggest here.

      View Comment
  • salvatore says:

    I can’t understand why the email doesn’t arrive! What could be common problems?

    View Comment
  • Tim says:

    Ok, It looks like I’m a two factor authentication dingaling because I no longer have my old phone and didn’t switch it before moving to new phone. Is there any way to access my account or should I just create a new account under a different email address?

    View Comment

Leave a Reply

Click to access the login or register cheese