🚨 U2F has been superceded by WebAuthn/Passkeys.
We’re delighted to announce support for U2F login authentication for WordPress, starting with ShieldPRO 9.1.
This article will outline what this is, and how you can add this 2nd Factor to give added security to your WordPress accounts.
What is FIDO U2F?
FIDO U2F is a standardised protocol designed to enable “relying parties to offer a strong cryptographic 2nd factor option for end user security”.
Simply-put it’s a powerful 2nd factor that you can use to secure access to your WordPress login. You can read a bit more about U2F on the Yubico site here.
Let’s face it, 2-Factor Authentication can be a pain.
If it’s email-based, you must have access to your email account, copy the code and paste it into your browser. That’s assuming you’ve even configured your WordPress site to send emails reliably.
If it’s Google Authenticator, you’ll need your phone to open the App, grab the code and type it into your browser.
Yubikey One Time Passwords (OTP) are much easier than other solutions since you just touch the USB device to automatically deliver a OTP straight into your browser.
U2F devices make 2FA even smoother than Yubikey OTPs and they operate similarly where you touch a sensor to indicate it’s really you.
U2F provides the “something you have” factor to your login authentication, in-addition to your password (“something you know“).
What Do You Need In Order To Get Started With U2F?
There are 3 components to using U2F:
- A U2F device, such as a Yubikey, or Google Titan key.
- An operating system + web browser that supports U2F – most of the major browsers support U2F at this stage.
- A website/app that offers U2F support.
With ShieldPRO 9.1, the only thing remaining that you probably don’t have is item #1 – a security key that supports U2F.
There are several types of keys available, but YubiKeys and Google Titan are probably the most popular.
If you’re going to buy one, we recommend getting one that supports U2F, FIDO2, OTP (One Time Passwords) and even NFC (as a bonus).
The type we’re most familiar with is the current Yubikey 5 series.
How Does WordPress U2F Authentication Work?
There are 2 simple parts that make up U2F support for your WordPress user profile, using Shield Security.
Part #1: Register Your U2F Device On Your WordPress User Profile
Assuming you’ve enabled the U2F option within Shield (found under Login Protection > Hardware 2FA), you’ll see a button in your WordPress user profile to register a new U2F device.
Click this button and the U2F registration process will begin.
Step #2: Sign-in With Your U2F Device
When you next sign-in to your WordPress site, Shield’s standard 2FA page will prompt you to complete the sign-in with the same popup as shown in the video above.
Assuming it works as expected, you’ll be logged-in completely to your account.
Using Multiple U2F Devices
If you’ve ever lost your Google Authenticator codes, you’ll know the hardship you face in regaining access to your accounts.
It’s always good to have at least 2x 2FA options enabled on your user accounts.
We recommend either registering 2 separate U2F devices on your profile, or activating another authentication factor alongside your U2F key. This way if you lose a U2F device, you can always login with the other U2F device, or the other factor.
To this end, we’ve built-in the ability to register as many U2F devices as you want. There’s absolutely no restriction.
Also, if you lose a U2F key, or decide to no longer allow access using a particular key, it’s easy to remove it from your profile.
Caveats With ShieldPRO 9.1 and U2F
This is a new implementation for us and it’s more complex than other 2-factor authentication options.
We test our code and our implementations thoroughly, but the sheer myriad of WordPress site configurations means you just never know when another plugin is going to mess with what you have.
To be sure that you don’t get locked-out of your site because of a bug or interference by another plugin, we’re marking this feature as “experimental“, for the moment.
This simply means: please use it, we’re committed to ensuring U2F login is available for Shield clients, but there may be unexpected problems that we’re unaware of.
It also means that you must have another 2FA factor enabled on your profile so that in the event there’s a problem with U2F login, you’ll be able to proceed with the alternative factor. Once we’re confident there aren’t any surprise bugs, we’ll remove this restriction in a future release.
This sounds like an inconvenience, but if you’re already using 2FA, there is no added work for you.
What about WebAuthn and FIDO2?
FIDO2 takes U2F even further and part of this is WebAuthn. It supersedes U2F, but FIDO2 devices are typically backwards compatible with U2F so getting a device that supports both U2F and FIDO2 would be best.
Shield Security for WordPress doesn’t support WebAuthn, so you can’t use your finger print scanner and such things (yet).
Assuming all goes well with our U2F implementation, we’ll probably extend it to support WebAuthn in the future. As always, this is based on your feedback and suggestions. Speaking of which…
Comments, Feedback and Suggestions
We rely on your feedback to point us in the direction of where to take Shield and which features and functionality we should focus on.
If this is something you like, or you’d like to see enhancements and changes, please do leave us comments below. Every piece of feedback is informative and helps us greatly.
Thank you!
Hi,
With regards to two-factor authentication and the like, I’m wondering if a device’s MAC address could be used for authentication.
It’s unique to the device, but I don’t know if it’s easy for someone to spoof it.
Granted, it wouldn’t be as secure as true two-factor authentication and wouldn’t provide protection against someone stealing or taking over your device, but might it provide an intermediary step?
Just wondering.
Ken Dawes
Hi Ken,
Thanks for your question.
This isn’t possible. Device MAC addresses are only accessible within a local network and are not published over the Internet.
Jelena