April 4, 2017 by Paul G. | Migrated, Shield Security

Multi-Factor and Two-Factor Authentication For WordPress – Shield

Shield Image

Two-factor authentication (2FA) is a one of the best ways to secure account access – for any platform, WordPress included.

1 extra piece of information alongside your account password goes a long way. It reduces vulnerability to a category of issues that surround account integrity.

Shield Security has integrated easy-to-use two-factor authentication (2FA) almost since we started it. By forcing users to confirm their identity we lock-down WordPress account access to the verified account owners only.

We started with email two-factor authentication – is email the most secure ever? No, but that’s not an issue.

You see, 2FA isn’t designed to offer the most secure account access EVER. Instead, it presents an extra obstacle, another layer of complexity, to unauthorised account access.

Different approaches to 2-Factor Authentication

As with anything on the internet, there are a lot of opinions on the “best” 2FA method to use.

So which approach actually is the best?  That doesn’t matter. What matters more is that you have one.

A better question to ask is: which one am I most likely to use?

i.e. how can we get as many people to use 2FA, such as email or Google Authenticator, without screwing them over. (I’ll come back to this a little later)

Here are just some of the methods:

  • email
  • Google Authenticator
  • Google Prompt
  • Authy
  • Duo
  • SMS
  • Push(over)
  • Yubi(key)

Again, everyone on the Internets has an opinion on each of these. You’ll hear people decry SMS and email as insecure. But again, moving yourself to use 2FA more and more is about getting a system that works for you.

Here’s a simple challenge to illustrate. Which the most secure login method?

  1. password only
  2. password + email-based two-factor authentication (requires little or no setup)
  3. password + Google Authenticator (that you never bother to setup because it’s got too many steps or it’s burnt you in the past)

It’s a tricky one, I know, but take your time.

I hope you understand the point we’re trying to make. It’s more important to use at least 1, than to not use any.

How to add Two-Factor Authentication to WordPress

Our Shield Security plugin offers 4 different types of 2-Factor Authentication:

  1. Email (after you login, you’ll get an sent to your account with a code / link to use to complete the login)
  2. Google Authenticator – you’ll use an app that generates a random code which you use to login
  3. Yubikey – like the other 2 methods, but uses a hardware device that generates the code
  4. U2F login authentication – use as many devices as you want (such as a Yubikey, or Google Titan key)

With Shield Security we’ve completely rewritten how 2FA works. Before now, we’ve been adding elements directly to the WordPress login screen.

You will be presented with a brand new screen that asks you for your authentication codes. The user provides all (or just 1) of their codes to complete their login.  This gives us a few great wins, such as:

  1. Smoother UX – Shield presents the authentication screen if, and only if, the user has 2FA enabled.
  2. Smoother UX x 2 – Shield presents only the multi-factor authentication field that the user has activated.
  3. Better compatibility – we reduce dependency on the WordPress login screen. This meanings we’ll work better with 3rd party login forms, and you’re less likely to run into issues.
  4. Easier Extensions – we can now easily add more authentication methods without cluttering up the WordPress login screen.

Two-Factor, or Multi-Factor?

When logging into anything, your 1st “factor” is your password.  If you’ve setup email authentication, then the code/link in your email is your 2nd factor.

If you use email authentication and then add Yubikey, you now have “Multi-Factor” Authentication.

The more “factors” you add, the more secure your account access. If someone gets your password, and even access to your email account, but you also have Google Authenticator, you’re still safe!

Shield Security supports both two factor or multi-factor authentication. You can enable ‘Email’, ‘Yubikey’ and ‘Google Authenticator’ on your user accounts and have the option to chain them together.

Whether you decide to chain them to create Multi-Factor authentication, or not, is up to you. But your pay-offs are usability and user management in the form of managing the cases where users lose access to one of their login factors.

When Google Authenticator screws you over

How can a 2FA system make your life a misery? Simple – when you lose your ability to generate your 2FA codes.

How can this happen? So imagine you use the Google Authenticator app on your phone to save your codes.  But what happens to your codes when:

  • your phone crashes and it needs to be reset
  • your accidentally delete the wrong account from the app
  • you drop your phone into your pint
  • … < insert catastrophe here >

The answer is, you’re locked out of your account. To get around this, you need backups of your Google Authenticator codes – we recommend using an alternative – Authy App.

Question or Comments?

If you have any questions or comments for us, please let us know in the comments below.

ShieldPRO Testimonials
@graceys's Gravatar @graceys

Amazingly Simple, but powerful

Although I’ve only had this installed for a few days, already it has “saved my bacon”, and my sanity. I have had my wp “limit login attempts” locked down to a pretty tight time frame and boot out before I installed it, but WP Simple Firewall does everything it says,…

@sg7biz's Gravatar @sg7biz

Simple and effective

Like this plugin, as it works, has lots option and not slowing up the site.

@stevenw123's Gravatar @stevenw123

Siteground conflict

Hi, I’ve enjoyed using your plugin for two years or so, but I’ve just moved to Siteground for my hosting and I’m getting endless problems. Shield logs me out every couple of minutes and makes me log back in, even though I’m working on the site, so it is not…

@desgio's Gravatar @desgio

Best Plugin to protect my website

I feel more secure after using this plugin at my website

Hey there handsome! Do you like what you've read here? :)

If this cool feature is something you'd like, but you haven't gone PRO yet, click here to get started today. (no risk, with a 14-day satisfaction guarantee!)

You'll get all PRO features, including Malware Scanning, WP Config Protection, Plugin FileGuard, import/export, customer support, and so much more. Not only that, you'll get that warm, fuzzy feeling that comes from supporting our work and future development.

Make Me Pro →

Comments (10)

    Two-factor authentication secures users account from the cyber criminals. Thank you for explaining the concept and steps to enable the solution on a WordPress website. It should be great of you mention some more 2FA plugins.

    Is there a way to set up different ways to authenticate a person trying to get into their wordpress site? Lets say I want the most secure way possible for myself to log into my website. I have a username and password and use Authy as 2FA. Authy only gives me 30 seconds to submit a code before switching it up. Thats easy enough for me to do, but what if I have a developer across town that needs to get in, and I want to make sure they need me to grant them access to get in? I cannot give them that Authy code fast enough. Can I set it up for them to get in with the email code that is sent out? Would I need to have multiple administrators on the account and have different methods of getting in?

      The Shield Security plugin doesn’t support this sort of multi-factor authentication setup. I guess if you’re sharing user accounts – and I can’t think of a good reason for that, then you could have a shared email address perhaps. Other than that, not sure what to suggest here.

    I can’t understand why the email doesn’t arrive! What could be common problems?

      If you’re having trouble with email on your site, please read and follow this guide:

    I use the Google Authenticator Plugin, one thing to note is that on old android phones, there is a glitch that makes the time sequence out of whack, and you don’t have enough time to log in. So If you are planning on implementing any of these plugins in your website, make sure you have a backup done before implementation, so you can recover your account if the plugin locks you out.

    Ok, It looks like I’m a two factor authentication dingaling because I no longer have my old phone and didn’t switch it before moving to new phone. Is there any way to access my account or should I just create a new account under a different email address?

    I can’t find the setting to enable 2FA, and the instructions are outdated, showing an old version of the plugin.

    Does this plugin also work with Microsoft Authenticator?

      Hi Wolfgang,

      Shield supports Google Auth, which is also compatible with other Time-based password generators like Microsoft Authenticator.
      It also supports hardware 2FA such as Yubikey and Google Titan Key.
      Currently only U2F keys are supported.
      You may read more about U2F support in Shield here.

Leave a Comment

Your email address will not be published.

Click to access the login or register cheese