Whenever you implement a security measure, you should also have some sort of fallback. You do not want to be compromised by the failure of a single component. This is known as defense in depth.
When you manage a WordPress website, one of the most important aspects of security is authentication, a.k.a. how you login to your website. There are several ways how to harden the authentication to improve the defence in depth of your WordPress login mechanism. One of them is to implement two-factor authentication (2FA).
Improving defense in depth with two-factor authentication
2FA uses two factors to login. These factors are often grouped into a number of labels. They are something:
- you know, like a password
- you have, like a key or physical token
- you are (biometrics, e.g. your fingerprint)
- you do like a swipe pattern password on a phone
- somewhere you are like, GPS-based authentication.
Note that 2FA is not as simple as just using any 2 things for authentication. For example, if you use 2 passwords to login, that doesn’t qualify as 2FA. Both fall into the same category of “something you know”.
For more detailed information on how 2FA works refer to how two-factor authentication works on WordPress. In this article we’ll assume that you know what 2FA is, so we can show you how Google Authenticator works. We will also explain how with a two-factor authentication plugin and the Google Authenticator app you can easily setup 2FA on your WordPress website.
NOTE: The WP 2FA plugin for WordPress also supports Authy, FreeOTP and several other 2FA apps. So if you do not want to use Google Authenticator for WordPress 2FA, refer to the list of supported 2FA apps.
The Google Authenticator app: a crash course
Google Authenticator is an app built by Google. In 2FA it acts as something you have. This provides the second factor to the password (the something you know) you use to login to your website.
It does so by using TOTP (Time-based One Time Password). TOTP is a variant of the HOTP (HMAC-based One Time Password) algorithm. Without getting too far into the weeds, HOTP varies from TOTP: in HOTP a password will never expire until used, while a TOTP code or password expires within a certain time frame.
In Google Authenticator the generated passwords lasts about 30 seconds. When you type in the correct password and the one-time code provided by the app you successfully login to your website.
How does your website know it is the correct one-time code?
Both the Google Authentication app and the website start off with a common seed or secret. This secret can be either a string of characters you type in, or an input from your camera, for example by scanning a QR code. From there, the website’s 2FA mechanism and the Google Authenticator app on your phone are in sync with one another.
Therefore to achieve 2FA with Google Authenticator, you must couple it with another factor, typically a password.
IMPORTANT: With 2FA you still need strong passwords
Just because you enable 2FA on your website, it doesn’t mean you can brush off the other factor. Using the Google Authenticator app with a strong password makes it an effective 2FA solution. With a weak password, the 2nd factor becomes moot, essentially reducing you to one factor. If the one-time code is somehow compromised, or someone uses it within its 30 second window, the second factor can protect you. For a deeper dive on 2FA and strong passwords, check out Why you need both Two-factor Authentication & strong passwords.
How to setup the Google Authenticator app for your WordPress 2FA
- Email codes (one-time code is sent over email)
- TOTP (one-time code from Google authenticator app)
- Backup codes
Setting up 2FA on your WordPress with the WP 2FA plugin
Once you install and activate the WordPress plugin WP 2FA, you are presented a wizard that helps you setup two-factor authentication.
From here, select the 1st factor method One-time code generated with the Google Authenticator app. Click Next and follow the instructions. Bascially, all you need to do is launch the Google Authenticator app on your phone. Then tap the add new website icon (the red circle with a white cross), and select Scan a barcode to scan the QR code you are presented with.
Once you scan the QR Code you will be asked to enter the one-time code for the first time. That is it. Now you have 2FA on your WordPress website and can generate one-time codes with the Google Authenticator app. However, don’t forget to generate some 2FA backup codes.
Why do you need the 2FA backup codes?
It’s always good idea to select a secondary option here, otherwise if you ever loose access to your Google Authenticator app, your phone etc you will get locked out of your website.
You can setup email 2FA as backup. However, we recommend generating a list of backup codes, printing it, and storing it in a safe place. You can use one of the backup codes to login to your website in case you cannot get a one-time code from the Google Authenticator app. You can generate the backup codes through the wizard. If you did not:
- navigate to your user profile page,
- scroll down to the WP 2FA settings,
- click on Generate backup codes,
- once the codes are generated download or print the codes.
Logging in to WordPress with 2-factor authentication
That is it! The next time you need to login to your WordPress, after typing in the credentials (always use strong passwords!) you will be asked for a one time code. Simply launch the Google Authenticator app and type in the code.