Two-Factor Authentication (2FA) is a wonderful thing as it does a great job of protecting our accounts.
But it has its weaknesses. You’ll know this if you’ve ever lost your phone with your Google Authenticator codes. It can be a painful journey to recover our accounts in these instances.
What if there was a way we could make this recovery process a little less painful?
Login Backup Recovery Codes with Shield Security v6.10
Starting with Shield Security v6.10, we’re introducing backup recovery codes.
These backup codes are 1-time-only passwords that grant 2FA access to your account if, for whatever reason, your other factors aren’t unavailable.
Many service providers that offer Google Authenticator (GA) offer backup codes. They know that losing your GA device can be trouble, as they’ll need to verify your identity and reset your account.
There’s no good reason why your WordPress accounts can’t have them either.
Why Do Login Recovery Codes Matter?
There are a number of reasons why allowing recovery codes, for you and your users, is important.
- A better user experience. When a user drops their phone in the bath, they lose their ability to generate GA codes. They’re now locked out of their accounts and they can’t do anything of their own volition to fix the problem (except contact an admin).
With recovery codes, they can get back in to make changes to their account (i.e. disable their GA and recreate it) without contacting anyone else for help.
- A better admin experience. The less a user must come to you for support, the better your life (and theirs) will be. If a user can solve their own problems without your help, they’re happier, and so are you.
- A better security experience. With added security comes added complexity for everyone. It also presents some anxiety, as we need to be prepared for when it breaks and locks us out. With recovery codes, if you’re having email deliverability issues, recovery codes will help everyone work around the problem, smoothing out any bumps in the road.
Important Characteristics of Shield Recovery Codes
Please bear in-mind the following important characteristics when using recovery codes:
- Single-use only. When you use a recovery code, it cannot every be re-used.
- One at a time. There is only 1 recovery code available at a time, per account. If you generate a new code, it replaces the existing code.
- Manual code (re)generation. You must manually generate your codes from your WP user profile page. If you use the code, you must manually recreate another.
- It overrides multi-factor authentication. If you’ve configured your system to require all factors (i.e. multi-factor authentication) while logging-in, a backup code will still work. I.e. providing a recovery code will always work to complete your login, regardless of how many factors are missing.
- Backup codes are entirely optional. There is a site-level option to turn on/off backup codes, and individual users can generate and delete their backup codes, as they desire.
A recovery code clearly doesn’t replace your account username and password, but you should store this code in a safe place. If your password is compromised, and you haven’t securely stored your backup code, you’re putting your account at risk.
How To Setup Backup Recovery Codes Using Shield
The 1st step is to allow users on the site to use the recovery codes feature:
Once enabled, any user on the site will have a new option in their profile to generate a backup code.
Please note: if the option to generate codes does not appear on their profile, this means that there is no 2FA factor active on their account. This is a recovery system, and not designed to be a standard 2FA option for everyday use.
How To Get Access To The Recovery Codes Feature
This feature is available with Shield Security v6.10, and is a pro-only feature.
If you wish to make use of this pro feature, and all the other pro-features, you can upgrade today for the equivalent of just $1/month.
Any questions or comments, please leave them below. Thank you!
Excellent lightweight security plugin
This is an excellent plugin that I now install on all my sites. There is a high degree of customisation available. The plugin has a lot of very useful features. It is easy to use and has a great user interface. Proper and thorough security is an absolute must in…
Absolutely Simple, Intuitive & Complete.
This is not a paid review. You can simply install it then remove it if you disagree, however, this is one of the most useful, unrestricted and intuitive defense WordPress plugins I’ve used. Everything is clearly defined, the support is quick and most important of all, their documentation is on…
Brilliant Security plugin
Simple Fire Wall lives up to its name, its simple and it works! I have been using this plugin for a year now and love it as it has many features that are all useful and work. To setup, because of the many features its looks complex but its pretty…
Does What it Says and Well
Wonderful plugin…..just wanted to thank you!!!