Whenever you implement a security measure, you should also have some sort of fallback. You do not want to be compromised by the failure of a single component. This is known as defense in depth.
When you manage a WordPress website, one of the most important aspects of security is authentication, a.k.a. how you login to your website. One of the ways to improve the defence in depth of your WordPress login mechanism is to implement 2FA.
Improving defense in depth with two-factor authentication
A way of adding defense-in-depth to your WordPress authentication mechanism is by implementing two-factor authentication (2FA). 2FA uses two factors to login. These factors are often grouped into a number of labels. They are something:
- you know, like a password
- you have, like a key or physical token
- you are (biometrics, e.g. your fingerprint)
- you do like a swipe pattern password on a phone
- somewhere you are like, GPS-based authentication.
Note that 2FA is not as simple as just using any 2 things for authentication. For example, if you use 2 passwords to login, that doesn’t qualify as 2FA. Both fall into the same category of “something you know”.
Here, we’ll take a look at how Google Authenticator works, and explain how with a two-factor authentication plugin and the Google Authenticator app you can easily setup 2FA on your WordPress website.
The Google Authenticator app: a crash course
Google Authenticator is an app built by Google. In 2FA it acts as something you have. This provides the second factor to the password (the something you know) you use to login to your website.
It does so by using TOTP (Time-based One Time Password). TOTP is a variant of the HOTP (HMAC-based One Time Password) algorithm. Without getting too far into the weeds, HOTP varies from TOTP: in HOTP a password will never expire until used, while a TOTP code or password expires within a certain time frame.
In Google Authenticator the generated passwords lasts about 30 seconds. When you type in the correct password and the one-time code provided by the app you successfully login to your website.
How does your website know it is the correct one-time code?
Both the Google Authentication app and the website start off with a common seed or secret. This secret can be either a string of characters you type in, or an input from your camera, for example by scanning a QR code. From there, the website’s 2FA mechanism and the Google Authenticator app on your phone are in sync with one another.
Therefore to achieve 2FA with Google Authenticator, you must couple it with another factor, typically a password.
IMPORTANT: With 2FA you still need strong passwords
Just because you enable 2FA on your website, it doesn’t mean you can brush off the other factor. Using the Google Authenticator app with a strong password makes it an effective 2FA solution. With a weak password, the 2nd factor becomes moot, essentially reducing you to one factor. If the one-time code is somehow compromised, or someone uses it within its 30 second window, the second factor can protect you. For a deeper dive on 2FA and strong passwords, check out Why you need both Two-factor Authentication & strong passwords.
How to setup the Google Authenticator app for your WordPress 2FA
As for the plugin, there are multiple 2FA plugins available. Read our top 4 two-factor authentication plugins if you are not sure which one to use. In this example we will use Two-Factor, our favorite 2FA plugin. This plugin supports the following 2FA methods:
- Email codes (one-time code is sent over email)
- TOTP (one-time code from Google authenticator app)
- FIDO Universal 2nd Factor (U2F) (one-time code is generated by a physical token like a Yubikey)
- Backup codes
Setting up 2FA on your WordPress with the Two-Factor plugin
Once you install and activate the WordPress plugin Two-Factor, access the 2FA settings in your user profile page. Scroll down until the Two-Factor Options area.
From here, select the 2nd factor method Time Based One Time Password via Google Authenticator and set it as primary. Launch the Google Authenticator app on your phone and tap the add new website icon (the red circle with a white cross). Select Scan a barcode and scan the QR code in your user profile page.
Once you scan the QR Code you will be asked to enter the one-time code for the first time:
That is it. Now you have 2FA on your WordPress website and can generate one-time codes with the Google Authenticator app. However, don’t forget to generate some backup codes.
Why do you need the 2FA backup codes?
It’s always good idea to select a secondary option here, otherwise if you ever loose access to your Google Authenticator app, your phone etc you will get locked out of your website.
You can setup email 2FA as backup. However, we recommend generating a list of backup codes, printing it, and storing it in a safe place. You can use one of the backup codes to login to your website in case you cannot get a one-time code from the Google Authenticator app.
To generate the backup codes simply:
- navigate to your user profile page,
- enable the Backup Verification codes (Single Use) setting,
- once the codes are generated click Download Codes.
Logging in to WordPress with 2-factor authentication
That is it! The next time you need to login to your WordPress, after typing in the credentials (always use strong passwords!) you will be asked for a one time code. Simply launch the Google Authenticator app and type in the code.