Two-factor authentication (2FA) is an important part of maintaining the security of a WordPress site. However, 2FA alone isn’t enough to harden your WordPress site authentication. Strong passwords are also an important part, even when using two-factor authentication.
In this article we review 2FA, explain how hackers are bypassing it in some cases, and provide tips for using strong passwords on your WordPress website to compliment 2FA.
Two-factor authentication explained
Two-factor authentication is a way to authenticate to a system using a combination of two different factors. Generally, there are three different “factors” that may be used for 2FA. These factors are something you:
- Know– PINs (Personal Identification Numbers), passwords, and answers to security questions fall into this category.
- Have– Mobile phones, smart cards, physical tokens, and bank cards fit in this group.
- Are– Biometrics such as fingerprints, retina scans, facial recognition, and voice recognition are in this category.
These different categories should give you an idea of the benefits of two-factor authentication. Hackers will have a tougher time compromising two these factors than they would with just one. As a result, accounts protected using 2FA are safer than accounts protected by just one factor.
What about Multi-factor authentication (MFA)?
If you’re researching two-factor authentication you may have heard of multifactor authentication (MFA). So, are MFA and 2FA the same thing? Not exactly, but they are related. Simply put: two-factor authentication is a type of multifactor authentication.
MFA is an umbrella term for any type of authentication using two or more factors. 2FA specifically refers to two factors. You shouldn’t concern yourself too much with the differences. You’ll often see the terms used interchangeably and 2FA is the most common type of MFA used today.
Common examples of Two-factor authentication
2FA supports a variety of different implementation methods. While biometrics are becoming more common, most 2FA implementations for WordPress sites and cloud services use “something you know” and “something you have” factors. Common 2FA examples include the username and password and:
- SMS message- With this approach, you receive a text message with an additional code after entering your credentials.
- Email- Like the text message approach, after entering your credentials, you are sent an email with a code.
- Push notifications- With push notifications, you must confirm your login attempt from a preconfigured and approved Google and several online banking systems use this method.
- Authenticator apps- With authenticator apps, a one-time password (OTP) is generated by a program to be used in conjunction with your WordPress Google Authenticator and Microsoft Authenticator are popular examples of authenticator apps for 2FA.
- Security keys- Universal 2nd factor (U2F) is an approach to 2FA that is rising in popularity. U2F involves connecting a physical security key to complete the authentication process. The physical security key is usually either a USB or NFC (near-field communication) device. Yubico is a popular manufacturer of these security keys. Chrome, Firefox, Opera, and Edge browsers all support U2F today.
Two-factor authentication misconceptions
Thus far, 2FA seems great, and in many ways, it is. 2FA is an important part of maintaining the security of a WordPress site and protecting against brute force attacks. However, 2FA is not a cure-all security solution. There are some misconceptions about what 2FA that can prevent you from getting the most out of it, namely:
- 2FA is too difficult to implement and maintain– As a WordPress administrator, you must balance security and usability. Solutions that are too difficult to maintain or implement may never make it to production. Fortunately, there are multiple Two-factor authentication plugins for WordPress that make implementing 2FA easy.
- All 2FA solutions offer equal security– The technical side of 2FA can seem complex and it can be easy to assume all 2FA services offer equal security. However, that simply isn’t true. The hacks we’ll discuss below will demonstrate that.
- 2FA eliminates the need for strong passwords– The principle of defense in depth teaches us to protect against attacks at multiple layers. Using weak passwords with 2FA violates this principle and can leave your accounts at risk. Using weak passwords with 2FA is like leaving your door open because you have a lock on the gate, hence why the need for strong WordPress passwords policies.
How hackers are beating two-factor authentication
Information security is a constant cat and mouse game. For every security solution, hackers come up with a way around it. This holds true for 2FA as well. Unfortunately, in some cases hackers have successfully overcome 2FA and breached accounts as a result. To learn from these events, let’s look at a few of them:
- Iranian phishers bypass SMS-protection on Yahoo! Mail and Gmail accounts– In 2018, hackers reportedly working on behalf of the Iranian government were able to compromise the email accounts of US government officials, journalists, and activists. While researchers were able to confirm SMS-based 2FA accounts were breached, it was unclear if accounts were protected by an authenticator app.
- Hackers compromise multiple Instagram accounts using SMS-protection- Hackers were able to compromise hundreds of Instagram accounts in the summer of 2018. Several of these accounts used Instagram’s SMS-based 2FA at the time.
- An activist’s Telegram account that uses SMS-protection hacked- In 2016, Oleg Kozlovsky saw his Telegram account that was protected by 2FA with SMS compromised.
What can we learn from hacks of 2FA protected accounts?
As a result of these stories, you may notice a trend: SMS-based Two-factor authentication is not the most secure. This is because it is too easy to compromise a text message. For example, SIM cloning, message routing system flaws, and social engineering are all means hackers can use to compromise SMS-based 2FA.
Because of these shortcomings with SMS, industry experts are advocating for the use of other 2FA methods. For example, Google began pushing users away from SMS-based 2FA in July 2017. Additionally, the National Institute for Standards (NIST) has recommended against SMS-based 2FA since 2016.
Similarly, email-based 2FA suffers from many of the same shortcomings. In fact, some have argued that email should be categorized as “something you know” as opposed to being a separate factor. Why? Because many email accounts are only protected by easy to guess passwords in the first place.
Consequently, SMS and email aren’t the best options for 2FA. However, we should note they’re still better than no 2FA at all.
How a strong password complements two-factor authentication
To sum up what we’ve covered with 2FA: it can add a layer of security to your WordPress website, but must be implemented intelligently. For example, a big part of effective 2FA is the use of strong passwords.
Why are strong passwords so important? Because easy to guess passwords may effectively reduce 2FA to one factor. Remember, the point of 2FA is to give hackers more factors to compromise. A weak password is like handing one of the two factors over from the beginning.
Further, with a strong password you can keep your account secure in the event your other factor is compromised. Consider a scenario where you lost your smartphone. Even if a hacker can access your authenticator app, a strong password can prevent them from accessing your account. Additionally, a strong password can be the difference between hackers cracking your password in seconds or years.
Strong password best practices
So, what can you do to create strong passwords to complement your implementation of 2FA? As an administrator of a website you should:
- Implement strong WordPress password policies to help users use strong passwords,
- Promote the use of password managers.
Educate your users on what makes a strong password. Here are some password best practices.
- long passwords– 8 characters should be an absolute minimum. Target ~16 characters or more where possible.
- passphrases with a mix of special characters– A good strong password should be a combination of a passphrase, numbers, and special characters. For example, V3teran$D4yh0liDay.
- a trusted password manager – using trusted password managers can help solve the password memorization problem. This is because when you use a password manager, you avoid repeating passwords across sites and only need to remember a single master password.
- dictionary words– Hackers can use dictionary look ups to quickly crack passwords that are simply a word from the dictionary.
- common passwords– Passw0rd or password123 are out of the question. Similarly, password examples you find online, including our V3teran$D4yh0liDay example above shouldn’t be used. This is because these passwords can become part of lookup attacks.
- personal information in your passwords– Your name and birthday year are not a good password. People that know you, or can find information about you online can use this information to potentially guess your passwords or answer security questions.
- the same password on multiple sites– if you use one password across all sites, a single service provider breach can place all your accounts at risk. As there are new breaches seemingly every day, this is a real problem.
Best of both worlds: Two-factor authentication & strong passwords
The takeaway here is clear: you need to use Two-factor authentication and strong passwords on your WordPress site. This means leveraging the most secure 2FA methods practical and creating strong passwords and helping your WordPress users use strong passwords. With this approach, you’re able to provide defense in depth for WordPress authentication and truly reap the benefits of Two-factor authentication.