What is Two-Factor Authentication?
By default, WordPress uses a single-factor authentication mechanism. The single-factor is the password, which is a value that is only known by you.
A two-factor authentication mechanism, also known as 2FA, TFA or two-step authentication requires two-factors to authenticate a user. The two factors are a password and a one-time password (OTP) or code. Both the password and the one-time password or code are known only to the user. The code is called a one-time code because it is valid for only a short amount of time, such as 30 seconds.
Why do you need Two-Factor Authentication for your WordPress?
When using a single-factor authentication mechanism, if attackers guess your WordPress user’s password they can login to your website, creating a havoc, infecting it with malware etc. When using two-factor authentication mechanism, even if the attackers guess your password they still cannot login to your WordPress website or blog because they do not have the one-time code, which is only known to you.
Therefore by enabling two-factor authentication on your WordPress website you add an additional layer of security to your WordPress admin pages. Two-factor authentication also helps in mitigating WordPress brute-force attacks.
However still, two-factor authentication does not replace the need to use strong passwords on your WordPress websites. That is a must.
How does Two-Factor Authentication work?
To login to a website that uses two-factor authentication you need to submit a password and a one-time code. The most common methods to receive the one-time code are email, SMS or via a smartphone app. There are several other methods available, especially via premium third party services but in this article I will only explain how the most common methods work.
Using Email or SMS
When you configure the two-factor authentication plugin on your WordPress website you must specify either your mobile phone number or email address. The next time you want to login to your WordPress you must supply the username, password and the one-time code which is sent to you via an email or SMS.
When using the email or SMS setup you depend on the availability of these services to login, and in some cases you might also incur some costs (SMS providers etc). This means that if the service you are using is unreachable you cannot login to your WordPress website until it is available again.
Using an Authenticator App or Device
Some two-factor authentication plugins support an authenticator app or a device. Google Authenticator is one of the most popular apps. To setup the authenticator app you must scan a QR Code or enter a code on the app, which is provided by the plugin. In case a plugin uses a two-factor authentication device, there is nothing to setup and the device is typically provided by the third party service provider. The next time you need to login to your WordPress website you must supply the username, password and the one-time code which is automatically generated when you launch your smartphone app or device.
Backup Codes for when you cannot get the one-time code
Offline codes are a number of one-time passwords (OTPs) or codes can be used to login in case you cannot access your email account, receive an SMS or access your smartphone app. You can generate offline codes from your plugin’s settings. Note that not all plugins support offline codes.
When you generate these codes print them or write them down on a paper and store them in a secure place. So if for some reason you cannot get the one-time code via your email, SMS or app you can use one of them to login to your WordPress website. If you use all the offline codes you must generate another set of codes from the plugin’s settings.
Does Two-Factor Authentication have any other security benefits?
Two-factor authentication only adds an additional layer of security to your WordPress login page. It does not protect your website or web server if they have any vulnerabilities. This means that it is not a replacement for security hardening, keeping all your software up to date and following security best practises.
Which Two-Factor Authentication WordPress plugin should you use?
There are several WordPress plugins available that you can use to setup Two-Factor Authentication on your website. Some are free and some are premium. Some are dedicated (just add two-factor authentication) and some are a combo of WordPress security features.
I prefer to use dedicated plugins. In most cases they specialize on the feature / service they provide, thus providing a better and more flexible solution, although it is not always the case. Refer to the Best Two-Factor Authentication plugins for WordPress for a list and explanation of the most common 2FA WordPress plugins.