A strong password can be an effective security measure, but as security breaches become more commonplace, it can be necessary to add an additional layer of protection.
The most common multi-step authorization process is called Two-Factor Authentication. It can be enabled for many of the apps you use every day, including: Facebook, Twitter, Gmail, Dropbox, Amazon, and many more if you look deep enough.
What is Two-Factor Authentication?Two-Factor Authentication, abbreviated as 2FA, essentially adds an extra layer of security beyond the usual username and password combination that you’re used to.
On the web, you may have seen this in the form of an SMS text message with a code to verify you are you before you can login. However, there are other methods of authenticating yourself, a couple of which we’ll explore here.
Why would I want this?
You wouldn’t want any random person logging into your Amazon account and ordering things you don’t want…
Or your Facebook account and posting things you never would say…
So, by having a second factor of authentication, if worse comes to worst and your login information is compromised, an intruder would need access to this other device to gain access to your account(s).
How Do I Enable 2FA?
Two-factor authentication can be done in many different ways, but in most cases the second factor is something in your possession that can similarly identify you through a randomly generated token. For a more in-depth rundown and some guides to enable 2FA for many popular online services, we recommend checking out CNet’s guide on the Why and How of 2FA.
As mentioned earlier, many sites use SMS to generate a code for you to type in and verify yourself.
However, there are also apps that facilitate this in an arguably more secure manner, known as authenticator apps. Some of the most popular include:
- Google Authenticator (recommended) (iOS/Android)
- LastPass Authenticator (iOS/Android)
- Authy (iOS/Android)
In the CNet article mentioned above, they say “If you have the choice, use an authentication app”, so we recommend downloading whichever app fits your personal choice.
Now that you’ve enabled Two Factor Authentication for your favorite apps and services, what about your own website?
It’s surprisingly simple and with just a few simple steps, you can also make your website more secure by requiring 2FA for your WordPress website administrator accounts.
How Do I Setup 2FA for My WordPress Site?
First, you’ll need to install a plugin to enable two-factor authentication. While there are many plugins available, we’re partial to, and recommend, the Two Factor Authentication plugin from the makers of UpdraftPlus (a popular WP backup solution).
- Install and activate the Two Factor Authentication plugin (https://wordpress.org/plugins/two-factor-authentication/).
- Keep the default settings which will make 2FA available to all users.
- Note: Each user must enable 2FA from within their own user account.
After plugin activation, the following steps must be completed by the user in order to setup 2FA.
- In the AP Admin Dashboard, click “Two Factor Auth” in the sidebar menu – you will be presented with a QR code.
- Note: The settings here only affect the currently logged in user.
- In the Authenticator app of choice, select the appropriate option to scan a QR code and scan the code on the screen.
- Important! After your QR code has been scanned, verify that the 6-digit numerical code in your app matches the 6-digit numerical code on the screen.
- Note: You may have to click the “Update” link to refresh the code.
- If the codes match, change the radio button for Activate two-factor authentication from “Disabled” to “Enabled” and Save Changes.
The one disadvantage of using 2FA with an app on your phone, is that if you lose your phone you will need to reauthenticate with the new phone. Unfortunately, you won’t be able to login to your website to do so. In this case, you’ll need to have administrative rights to your website to manually disable the plugin. More information on troubleshooting and manually disabling the plugin can be found in the Two Factor Authentication plugin FAQ.
Once you’re set up, you can sit back and relax knowing that your website is also now protected by the same extra layer of security afforded to your other online accounts.
If you enjoyed this article and want to see more like it, or have any other feedback, please let us know in the comments!