August 4, 2017 by Paul G. | Blog

Update: WordPress Email Two-Factor Authentication – No Auto-Login Links

Shield Image

This is a quick explanatory update on our Shield Security plugin for WordPress.

We’ve been providing email-based two-factor authentication (2FA) for a looong time. And recently we’ve received some feedback about the placing of a direct-login link within the email that is sent out.

How Shield’s Two-Factor Authentication Portal Works

With the portal you’re prompted to enter any or all of your 2FA codes to confirm your login. If you have turned on email-based 2FA, then you’ll get an email with both the code you need, and also a link.

This link will do 1 of 2 things:

  • if you have 2 or more factors that are required, then it’ll pre-populate the portal with your code #neat
  • if email is your only 2nd factor, it’ll log you straight into the site automagically #super-neat

The problem arises with the 2nd option. If a 2-factor email is sent out and intercepted, then the unwelcome visitor wins with a direct link right into your WordPress admin.

The chances of this are slim for 2 reasons:

  • the two-factor portal has a 5 minute window. If you miss it, you have to start your login from scratch.
  • the link can only ever be used once.

But the chance, however slim, remains. So what is the next step?

Decision: Remove The Automatic Login Link

The link is really convenient, but we feel that there is little/no inconvenience in copy-pasting the code into your login portal.

So from Shield v5.12.2 we’ve removed the link from the outgoing two-factor email. You will now have to copy-paste the code into the portal directly.

We apologise if this is a problem for you, but we hope you’ll understand the reason behind it.

Thanks!

ShieldPRO Testimonials
@qaysarthur's Gravatar @qaysarthur

Excellent plugin.

Great plugin. Works as advertised and makes life much easier!

@aquajazz's Gravatar @aquajazz

Security

I like this plugin a lot.

@kiwes01's Gravatar @kiwes01

I Feel Very Secure

Excellent control and allows you to customize it just as you see fit for your needs. Great plugin. I highly recommend!

@dsouzaalfred's Gravatar @dsouzaalfred

Great Plugin

Great Plugin

Hey there handsome! Do you like what you've read here? :)

If this cool feature is something you'd like, but you haven't gone PRO yet, click here to get started today. (no risk, with a 14-day satisfaction guarantee!)

You'll get all PRO features, including Malware Scanning, WP Config Protection, Plugin FileGuard, import/export, customer support, and so much more. Not only that, you'll get that warm, fuzzy feeling that comes from supporting our work and future development.

Make Me Pro →

Leave a Comment

Your email address will not be published.

Click to access the login or register cheese