Two-factor authentication (2FA) is a one of the best ways to secure account access – for any platform, WordPress included.
1 extra piece of information alongside your account password goes a long way. It reduces vulnerability to a category of issues that surround account integrity.
Shield Security has integrated easy-to-use two-factor authentication (2FA) almost since we started it. By forcing users to confirm their identity we lock-down WordPress account access to the verified account owners only.
We started with email two-factor authentication – is email the most secure ever? No, but that’s not an issue.
You see, 2FA isn’t designed to offer the most secure account access EVER. Instead, it presents an extra obstacle, another layer of complexity, to unauthorised account access.
Different approaches to 2-Factor Authentication
As with anything on the internet, there are a lot of opinions on the “best” 2FA method to use.
So which approach actually is the best? That doesn’t matter. What matters more is that you have one.
A better question to ask is: which one am I most likely to use?
i.e. how can we get as many people to use 2FA, such as email or Google Authenticator, without screwing them over. (I’ll come back to this a little later)
Here are just some of the methods:
- Google Authenticator
- Google Prompt
- Authy
- Duo
- SMS
- Push(over)
- Yubi(key)
- Passkeys/WebAuthn
Again, everyone on the Internets has an opinion on each of these. You’ll hear people decry SMS and email as insecure. But again, moving yourself to use 2FA more and more is about getting a system that works for you.
Here’s a simple challenge to illustrate. Which the most secure login method?
- password only
- password + email-based two-factor authentication (requires little or no setup)
- password + Google Authenticator (that you never bother to setup because it’s got too many steps or it’s burnt you in the past)
It’s a tricky one, I know, but take your time.
I hope you understand the point we’re trying to make. It’s more important to use at least 1, than to not use any.
How to add Two-Factor Authentication to WordPress
Our Shield Security plugin offers 4 different types of 2-Factor Authentication:
- Email (after you login, you’ll get an sent to your account with a code / link to use to complete the login)
- Google Authenticator – you’ll use an app that generates a random code which you use to login
- Yubikey – like the other 2 methods, but uses a hardware device that generates the code
- Passkeys/WebAuthn – use as many devices as you want
With Shield Security we’ve completely rewritten how 2FA works. Before now, we’ve been adding elements directly to the WordPress login screen.
You will be presented with a brand new screen that asks you for your authentication codes. The user provides all (or just 1) of their codes to complete their login. This gives us a few great wins, such as:
- Smoother UX – Shield presents the authentication screen if, and only if, the user has 2FA enabled.
- Smoother UX x 2 – Shield presents only the multi-factor authentication field that the user has activated.
- Better compatibility – we reduce dependency on the WordPress login screen. This meanings we’ll work better with 3rd party login forms, and you’re less likely to run into issues.
- Easier Extensions – we can now easily add more authentication methods without cluttering up the WordPress login screen.
Two-Factor, or Multi-Factor?
When logging into anything, your 1st “factor” is your password. If you’ve setup email authentication, then the code/link in your email is your 2nd factor.
If you use email authentication and then add Yubikey, you now have “Multi-Factor” Authentication.
The more “factors” you add, the more secure your account access. If someone gets your password, and even access to your email account, but you also have Google Authenticator, you’re still safe!
Shield Security supports both two factor or multi-factor authentication. You can enable ‘Email’, ‘Yubikey’ and ‘Google Authenticator’ on your user accounts and have the option to chain them together.
Whether you decide to chain them to create Multi-Factor authentication, or not, is up to you. But your pay-offs are usability and user management in the form of managing the cases where users lose access to one of their login factors.
When Google Authenticator screws you over
How can a 2FA system make your life a misery? Simple – when you lose your ability to generate your 2FA codes.
How can this happen? So imagine you use the Google Authenticator app on your phone to save your codes. But what happens to your codes when:
- your phone crashes and it needs to be reset
- your accidentally delete the wrong account from the app
- you drop your phone into your pint
- … < insert catastrophe here >
The answer is, you’re locked out of your account. To get around this, you need backups of your Google Authenticator codes – we recommend using an alternative – Authy App.
Question or Comments?
If you have any questions or comments for us, please let us know in the comments below.
Two-factor authentication secures users account from the cyber criminals. Thank you for explaining the concept and steps to enable the solution on a WordPress website. It should be great of you mention some more 2FA plugins.
Is there a way to set up different ways to authenticate a person trying to get into their wordpress site? Lets say I want the most secure way possible for myself to log into my website. I have a username and password and use Authy as 2FA. Authy only gives me 30 seconds to submit a code before switching it up. Thats easy enough for me to do, but what if I have a developer across town that needs to get in, and I want to make sure they need me to grant them access to get in? I cannot give them that Authy code fast enough. Can I set it up for them to get in with the email code that is sent out? Would I need to have multiple administrators on the account and have different methods of getting in?
The Shield Security plugin doesn’t support this sort of multi-factor authentication setup. I guess if you’re sharing user accounts – and I can’t think of a good reason for that, then you could have a shared email address perhaps. Other than that, not sure what to suggest here.
I can’t understand why the email doesn’t arrive! What could be common problems?
If you’re having trouble with email on your site, please read and follow this guide:
https://www.icontrolwp.com/blog/trouble-free-email-solution-wordpress-mandrillapp/
I use the Google Authenticator Plugin, one thing to note is that on old android phones, there is a glitch that makes the time sequence out of whack, and you don’t have enough time to log in. So If you are planning on implementing any of these plugins in your website, make sure you have a backup done before implementation, so you can recover your account if the plugin locks you out.
Ok, It looks like I’m a two factor authentication dingaling because I no longer have my old phone and didn’t switch it before moving to new phone. Is there any way to access my account or should I just create a new account under a different email address?
I can’t find the setting to enable 2FA, and the instructions are outdated, showing an old version of the plugin.
Does this plugin also work with Microsoft Authenticator?
Hi Wolfgang,
Shield supports Google Auth, which is also compatible with other Time-based password generators like Microsoft Authenticator.
It also supports hardware 2FA such as Yubikey and Google Titan Key.
Currently only U2F keys are supported.
You may read more about U2F support in Shield here.
Any plans to support Web Authentication soon. I use it on one of our sites and it is a great 2fa solution
Hi Eddie,
We do plan to implement WebAuthn into Shield in much the same manner as we did U2F, but we don’t have a time frame for this yet.
We have a number of development plans ahead of this, but we hope to have WebAuthn ready soon.
As always, you can still use Yubikey One Time Passwords with Shield.
I am trying to set it up, and when I go to my profile to input the 5-digit ID for the key, i.e. 12345, and the secret key, i.e. 12A3deFg/HIJKLmnoPqrStuVwx70, there is no option to do it. The message reads, “Currently, there is no option for 2-factor authentication methods for your account.” Or something along the lines. I went to shield security>configuration>login protection, and selected the “hardware key, and selected all the checkboxes. I then saved it, but nothing changed on the profile end. Anything else I am missing? Refreshing the page did not change anything either.
Hi Fabien,
The reason why you’re seeing “There are currently no 2FA providers available on your account.” message on your profile page is because you don’t have any of the following MFA factors activated in Shield for your account/user role:
– Google Authenticator
– 2FA by email
– Hardware 2FA
If the problem is with U2F (enabled in Shield but options unavailable on your profile page), unfortunately, the reason why U2F isn’t available on the user MFA settings pages is probably because most browsers have disabled the ability to use it now.
If it helps, you can use Yubikey with Shield. To do this, please follow these guides here.
Is there any way to configure users to be required to use MFA? I really need that.
Hi Michelle,
Currently, you can enforce users to use 2FA by email, based on user roles you choose. We go into further details on this here.
You can also add custom user role(s), if you need to.
It’s not possible to enforce users to use any other 2FA/MFA factor (Google Authenticator, Yubikey or U2F)… However, this is something we plan to add, including the ability for site admins to see which user has enabled it for their account and which user hasn’t.
So, at the moment, you can enforce 2FA by email for any user roles you want, and let them choose if they want to use other 2FA factors for their own account or not.
Hope this helps.