Two-factor authentication (2FA) is a one of the best ways to secure account access – for any platform, WordPress included.

1 extra piece of information alongside your account password goes a long way. It reduces vulnerability to a category of issues that surround account integrity.

Shield Security has integrated easy-to-use two-factor authentication (2FA) almost since we started it. By forcing users to confirm their identity we lock-down WordPress account access to the verified account owners only.

We started with email two-factor authentication – is email the most secure ever? No, but that’s not an issue.

You see, 2FA isn’t designed to offer the most secure account access EVER. Instead, it presents an extra obstacle, another layer of complexity, to unauthorised account access.

Different approaches to 2-Factor Authentication

As with anything on the internet, there are a lot of opinions on the “best” 2FA method to use.

So which approach actually is the best?  That doesn’t matter. What matters more is that you have one.

A better question to ask is: which one am I most likely to use?

i.e. how can we get as many people to use 2FA, such as email or Google Authenticator, without screwing them over. (I’ll come back to this a little later)

Here are just some of the methods:

  • email
  • Google Authenticator
  • Google Prompt
  • Authy
  • Duo
  • SMS
  • Push(over)
  • Yubi(key)
  • Passkeys/WebAuthn

Again, everyone on the Internets has an opinion on each of these. You’ll hear people decry SMS and email as insecure. But again, moving yourself to use 2FA more and more is about getting a system that works for you.

Here’s a simple challenge to illustrate. Which the most secure login method?

  1. password only
  2. password + email-based two-factor authentication (requires little or no setup)
  3. password + Google Authenticator (that you never bother to setup because it’s got too many steps or it’s burnt you in the past)

It’s a tricky one, I know, but take your time.

I hope you understand the point we’re trying to make. It’s more important to use at least 1, than to not use any.

How to add Two-Factor Authentication to WordPress

Our Shield Security plugin offers 4 different types of 2-Factor Authentication:

  1. Email (after you login, you’ll get an sent to your account with a code / link to use to complete the login)
  2. Google Authenticator – you’ll use an app that generates a random code which you use to login
  3. Yubikey – like the other 2 methods, but uses a hardware device that generates the code
  4. Passkeys/WebAuthn – use as many devices as you want

With Shield Security we’ve completely rewritten how 2FA works. Before now, we’ve been adding elements directly to the WordPress login screen.

You will be presented with a brand new screen that asks you for your authentication codes. The user provides all (or just 1) of their codes to complete their login.  This gives us a few great wins, such as:

  1. Smoother UX – Shield presents the authentication screen if, and only if, the user has 2FA enabled.
  2. Smoother UX x 2 – Shield presents only the multi-factor authentication field that the user has activated.
  3. Better compatibility – we reduce dependency on the WordPress login screen. This meanings we’ll work better with 3rd party login forms, and you’re less likely to run into issues.
  4. Easier Extensions – we can now easily add more authentication methods without cluttering up the WordPress login screen.

Two-Factor, or Multi-Factor?

When logging into anything, your 1st “factor” is your password.  If you’ve setup email authentication, then the code/link in your email is your 2nd factor.

If you use email authentication and then add Yubikey, you now have “Multi-Factor” Authentication.

The more “factors” you add, the more secure your account access. If someone gets your password, and even access to your email account, but you also have Google Authenticator, you’re still safe!

Shield Security supports both two factor or multi-factor authentication. You can enable ‘Email’, ‘Yubikey’ and ‘Google Authenticator’ on your user accounts and have the option to chain them together.

Whether you decide to chain them to create Multi-Factor authentication, or not, is up to you. But your pay-offs are usability and user management in the form of managing the cases where users lose access to one of their login factors.

When Google Authenticator screws you over

How can a 2FA system make your life a misery? Simple – when you lose your ability to generate your 2FA codes.

How can this happen? So imagine you use the Google Authenticator app on your phone to save your codes.  But what happens to your codes when:

  • your phone crashes and it needs to be reset
  • your accidentally delete the wrong account from the app
  • you drop your phone into your pint
  • … < insert catastrophe here >

The answer is, you’re locked out of your account. To get around this, you need backups of your Google Authenticator codes – we recommend using an alternative – Authy App.

Question or Comments?

If you have any questions or comments for us, please let us know in the comments below.