In the Feature Spotlight posts, we are going to highlight a feature in iThemes Security Pro and share a bit about why we developed the feature, who the feature is for, and how to use the feature.
Today we are going to cover Two-Factor Authentication, a proven method to secure and protect your WordPress site.
Why we Developed Two-Factor Authentication
According to the Verizon Data Breach Investigations Report, over 70% of employees reuse passwords at work. But the most important stat from the report is that “81% of hacking-related breaches leveraged either stolen or weak passwords.”
In a list compiled by Splash Data, the most common password included in all data dumps was 123456. Even though 91% of people know reusing passwords is poor practice, a staggering 59% of people still reuse their passwords everywhere! Many of these people are still using passwords that have appeared in a database dumb.
A database dump occurs when a hacker successfully gains access to a user database and then dumps the contents somewhere online. Unfortunately for us, these dumps contain a ton of sensitive login and account information.
The “Collection #1″ Data Breach that was hosted on MEGA hosted included 1,160,253,228 unique combinations of email addresses and passwords. This kind of score will provide a malicious bot with over a billion sets of credentials to use in brute force attacks. A brute force attacks refer to a trial and error method used to discover username and password combinations to hack into a website.
All of these reasons and more should make you want to add another layer of protection to your WordPress login.
Okay, so you are the type of person that uses a password manager like LastPass to create strong and unique passwords for each of your accounts. But. What about the other administrator and editor users on your site? If an attacker was able to compromise on of their accounts, they could still do a ton of damage to your website.
If there was only a method to secure your WordPress user accounts that Google said to be effective against 100% of automated bot attacks.
What Is Two-Factor Authentication
Two-factor authentication is a process of verifying a person’s identity by requiring two separate methods of verification. Google shared on its blog that using two-factor authentication can stop 100% of automated bot attacks. I really like those odds.
There are 3 Categories of Identity Verification
1. Something You Know. Do you remember filling out security questions when setting up your online mortgage account? Something like Who is your favorite teacher? or What is your mother’s maiden name? These security questions are a form of two-factor authentication by requiring answers you would only know.
2. Something You Have. This category requires you to have something physically in your possession–like your phone or a Yubikey–to prove your identity. For example, some two-factor authentication methods require a time-based code sent to a specific device via a 2FA app.
3. Something You Are. You may not know the name, but if you have a smartphone, you have probably used biometric authentication to log into your phone. Biometric authentication requires a unique biological characteristic to authenticate your login. If your phone has a fingerprint scanner or Face ID, you are using biometric authentication every time you unlock your phone.
Requiring an added another method of identity verification to log into your website would block all automated brute force attacks and even help to protect you if there is a Broken Authentication vulnerability on your website. A Broken Authentication vulnerability can allow an attacker to compromise a user or user’s passwords, keys, or session tokens to take over the user’s accounts.
How to Use Two-Factor Authentication in iThemes Security Pro
To start using Two-Factor Authentication on your website, enable the feature on the main page of the iThemes Security Pro settings.
Now click the Configure Settings button to take a close at your two-factor options.
- Authentication Methods Available to Users – The settings lets you choose which of the three authentication methods you will allow people to use.
The three authentication methods provided by iThemes Security Pro:
- Mobile App – The mobile app method is the most secure method of two-factor authentication provided by iThemes Security Pro. This method requires you to use a free two-factor mobile app like Authy.
- Email – The email method of two-factor will send time-sensitive codes to your user’s email address.
- Backup Codes – A set of one-time use codes that can be used to login in the event the primary two-factor method is lost.
Alright, lets move on to the rest of the two-factor settings.
- Force Two-Factor Authentication – This option allows you to require users in a specific user group to use two-factor authentication.
- Disable Two-Factor Onboarding – This setting allows you to disable the two-factor authentication on-boarding for certain users. We will cover the 2fa onboarding in more depth later in the post.
- Vulnerable User Protection – When enabled, this setting will require all users to use two-factor when logging in if the site is vulnerable, such as running outdated or software known to be vulnerable.
- Disable on First Login – When you enable the Force Two-Factor Authentication feature for specific User Groups, they will be required to enter the two-factor token sent to their email address the next time they log in. Enabling this setting will simplify the onboard flow when users first log in.
- On-board Welcome Text – This allows you to customize the text people see when they start the two-factor onboarding flow.
- Application Passwords – Select which user groups can use application passwords.
We created the two-factor onboarding to create a user-friendly way for people to set up two-factor on their accounts when they log in. After you enable two-factor authentication, every user will be guided through the onboarding process. You can disable two-factor onboarding for specific user groups in the two-factor settings.
Alright, let’s walk through the logging in and the two-factor onboarding process step by step.
Just like normal, the first thing you will see is the login form. Enter your credentials and click the Log In button.
If you followed our recommendations and enabled the force 2fa requirements for privileged users, the next thing you will see is the is a place to enter the two-factor token sent to your email address. Open the email and copy and paste the token and then click the Log In button.
On the next screen, you will be presented with the onboarding welcome text. Keep in mind that you can customize this in your two-factor settings. Click the Continue button to move onto the next step.
The next step is to select which methods of two-factor you want to enable for your account. Click on the Backup Codes arrow generate a list of backups codes to use if your primary method of authentication fails.
Now click the Download button to download a text file of your backup codes. Be sure to store these codes somewhere safe.
Now click the Back link to return to the previous screen. Now let’s click on the Mobile App arrow to enable and configure this method of authentication for our user.
Now choose your mobile OS and then open your mobile two-factor app on your phone.
From your phone, scan the QR code to continue to link the secret to your mobile app.
Now enter the 6 digit code from your phone into your web browser and click Verify to finish the mobile app setup.
Alight, now that you have two-factor all set up, click the Continue button to finish logging into your WordPress dashboard.
User Profile Two-Factor Settings
You can always make changes to your two-factor settings by visiting your user profile page.
From here, you can create a new Secret Key, enable/disable 2fa methods, and update your primary method of authentication.
To sum up, there is nothing else you can do that is as easy as adding 2fa to your WordPress login that will do more to secure your site. If you aren’t currently using two-factor, add it to your website right now.