What is Two-factor Authentication?
By default, WordPress uses a single-factor authentication mechanism. The single-factor is the password, a value that only you know.
A two-factor authentication mechanism, also known as 2FA, TFA or two-step authentication requires two-factors to authenticate a user. The two factors are a password and a one-time password (OTP) or code. The user needs to know both the password and the one-time password or code to login. It is called a one-time code because it cannot only be used ones. Also, typically it is valid for a short amount of time, such as 30 seconds.
Why do you need Two-Factor Authentication for your WordPress?
When using a single-factor authentication mechanism, if attackers guess your WordPress user’s password they can login to your website, creating a havoc, infecting it with malware etc. When using two-factor authentication, attackers still cannot login to your website, even if they guess your password. They also need the one-time code to login, which is only known to you.
Therefore when you enable two-factor authentication on your WordPress website you add an additional layer of security to the website’s login pages. Two-factor authentication also helps in mitigating WordPress brute-force attacks.
However still, two-factor authentication does not replace the need to use strong passwords on your WordPress websites. That is a must.
How does Two-Factor Authentication work?
To login to a website that uses two-factor authentication you need to submit a password and a one-time code. The most common methods to receive the one-time code are email, SMS or via a smartphone app. There are several other methods available, especially via premium third party services. However, in this article I will only explain how the most common methods work.
Using Email or SMS
When you configure the two-factor authentication plugin on your WordPress website you must specify either your mobile phone number or email address. Once configured, to login to your website you need to specify the:
- one-time code (sent to you via an email or SMS)
When using the email or SMS setup you depend on the availability of these services to login. In some cases you might also incur costs, for example from SMS providers. This means that if the service you are using is unreachable you cannot login to your WordPress website.
Using an Authenticator App or Device
Some two-factor authentication plugins support an authenticator app or a device. The Google authenticator app is one of the most popular. To setup the authenticator app you must scan a QR Code or enter a code on the app. The code is provided by the plugin.
In case you are using a two-factor authentication device, there is nothing to setup. Typically the device is provided by the third party service provider and is already setup.
Once you configure everything, you must supply the username, password and the one-time code the next time you want to login to your WordPress website. You get the one-time code from your smartphone app or 2FA device.
Backup Codes for when you cannot get the one-time code
Backup codes, or offline codes are a number of one-time passwords (OTPs) or codes. They can be used in case you cannot access your email account, receive an SMS, or access your smartphone app during login. You can generate offline codes from your plugin’s settings. Note that not all plugins support offline codes.
When you generate these codes print them or write them down. Also, store them in a secure place. So if for some reason you cannot get the one-time code via your email, SMS or app you can use one of them to login to your WordPress website. If you use all the offline codes you must generate another set of codes from the plugin’s settings.
Does Two-Factor Authentication have any other security benefits?
Two-factor authentication only adds an additional layer of security to your WordPress login page. It does not protect your website or web server if they have any vulnerabilities. This means that it is not a replacement for security hardening, keeping all your software up to date and following security best practises.
Which Two-Factor Authentication WordPress plugin should you use?
There are several WordPress plugins available. Some are free and some are premium. Some are dedicated (just add two-factor authentication) and some are a combo of WordPress security features.
I prefer to use dedicated plugins and use WP 2FA, our own very easy to use yet powerful WordPress two-factor authentication plugin. Dedicated plugins specialize on the feature / service they provide, thus providing a better and more flexible solution. If you are looking for alternatives, refer to the best Two-factor Authentication plugins for WordPress for a list and explanation of the most popular 2FA WordPress plugins.