October 2, 2018 by Paul G. | Features, Shield Pro

Recover Your WordPress Account with Two-Factor Authentication Backup Codes

Shield Image

Two-Factor Authentication (2FA) is a wonderful thing as it does a great job of protecting our accounts.

But it has its weaknesses. You’ll know this if you’ve ever lost your phone with your Google Authenticator codes. It can be a painful journey to recover our accounts in these instances.

What if there was a way we could make this recovery process a little less painful?

Login Backup Recovery Codes with Shield Security v6.10

Starting with Shield Security v6.10, we’re introducing backup recovery codes.

These backup codes are 1-time-only passwords that grant 2FA access to your account if, for whatever reason, your other factors aren’t unavailable.

Many service providers that offer Google Authenticator (GA) offer backup codes. They know that losing your GA device can be trouble, as they’ll need to verify your identity and reset your account.

There’s no good reason why your WordPress accounts can’t have them either.

Why Do Login Recovery Codes Matter?

There are a number of reasons why allowing recovery codes, for you and your users, is important.

  1. A better user experience. When a user drops their phone in the bath, they lose their ability to generate GA codes. They’re now locked out of their accounts and they can’t do anything of their own volition to fix the problem (except contact an admin).
    With recovery codes, they can get back in to make changes to their account (i.e. disable their GA and recreate it) without contacting anyone else for help.
  2. A better admin experience. The less a user must come to you for support, the better your life (and theirs) will be. If a user can solve their own problems without your help, they’re happier, and so are you.
  3. A better security experience. With added security comes added complexity for everyone. It also presents some anxiety, as we need to be prepared for when it breaks and locks us out. With recovery codes, if you’re having email deliverability issues, recovery codes will help everyone work around the problem, smoothing out any bumps in the road.

Important Characteristics of Shield Recovery Codes

Please bear in-mind the following important characteristics when using recovery codes:

  1. Single-use only. When you use a recovery code, it cannot every be re-used.
  2. One at a time. There is only 1 recovery code available at a time, per account. If you generate a new code, it replaces the existing code.
  3. Manual code (re)generation. You must manually generate your codes from your WP user profile page. If you use the code, you must manually recreate another.
  4. It overrides multi-factor authentication. If you’ve configured your system to require all factors (i.e. multi-factor authentication) while logging-in, a backup code will still work. I.e. providing a recovery code will always work to complete your login, regardless of how many factors are missing.
  5. Backup codes are entirely optional. There is a site-level option to turn on/off backup codes, and individual users can generate and delete their backup codes, as they desire.

A recovery code clearly doesn’t replace your account username and password, but you should store this code in a safe place. If your password is compromised, and you haven’t securely stored your backup code, you’re putting your account at risk.

How To Setup Backup Recovery Codes Using Shield

The 1st step is to allow users on the site to use the recovery codes feature:

Shield Security: Login Recovery Codes Option

Shield Security: Login Recovery Codes Option

Once enabled, any user on the site will have a new option in their profile to generate a backup code.

Shield Security: Login Recovery Codes User Profile Options

Shield Security: Login Recovery Codes User Profile Options

Please note: if the option to generate codes does not appear on their profile, this means that there is no 2FA factor active on their account. This is a recovery system, and not designed to be a standard 2FA option for everyday use.

How To Get Access To The Recovery Codes Feature

This feature is available with Shield Security v6.10, and is a pro-only feature.

If you wish to make use of this pro feature, and all the other pro-features, you can upgrade today for the equivalent of just $1/month.

Any questions or comments, please leave them below.  Thank you!

Hey beautiful!

If you're curious about ShieldPRO and would like to explore the powerful features for protecting your WordPress sites, click here to get started today. (14-day satisfaction guarantee!)

You'll get all PRO features, including AI Malware Scanning, WP Config File Protection, Plugin and Theme File Guard, import/export, exclusive customer support, and so much more.

Try ShieldPRO Today →

ShieldPRO Testimonials
@chris50uk's Gravatar @chris50uk

Good user friendly Plugin – Great Login Protection

Works well in the background, I very much like the Login Protection feature, which works for all user logins unlike some other Brut Force Protection plugins. Well done to the developer, thanks.

@traceybarron's Gravatar @traceybarron

Fantastic Plugin with great support

I’ve used this plugin on many sites for some time now. It’s fantastic. Not only has it helped keep out any security threats, it’s a great way to check the audit trail of what’s been going on on our sites. It’s super configurable too. The support is great as well.…

@masdull's Gravatar @masdull

Great Plugins

Excellent and very responsive

@arnold_snyder's Gravatar @arnold_snyder

Easy to install and it works

My site was getting hacked daily. We had multiple vulnerabilities through a plugin and other problems that aren’t easy to fix quickly. I installed this and haven’t had a single problem since. The installation was easy. Just install, activate, and read the info at the “more info” link for each…

Leave a Comment

Your email address will not be published. Required fields are marked *

Click to access the login or register cheese