đ¨ U2F has been superceded by WebAuthn/Passkeys.
Weâre delighted to announce support for U2F login authentication for WordPress, starting with ShieldPRO 9.1.
This article will outline what this is, and how you can add this 2nd Factor to give added security to your WordPress accounts.
What is FIDO U2F?
FIDO U2F is a standardised protocol designed to enable ârelying parties to offer a strong cryptographic 2nd factor option for end user securityâ.
Simply-put itâs a powerful 2nd factor that you can use to secure access to your WordPress login. You can read a bit more about U2F on the Yubico site here.
Letâs face it, 2-Factor Authentication can be a pain.
If itâs email-based, you must have access to your email account, copy the code and paste it into your browser. Thatâs assuming youâve even configured your WordPress site to send emails reliably.
If itâs Google Authenticator, youâll need your phone to open the App, grab the code and type it into your browser.
Yubikey One Time Passwords (OTP) are much easier than other solutions since you just touch the USB device to automatically deliver a OTP straight into your browser.
U2F devices make 2FA even smoother than Yubikey OTPs and they operate similarly where you touch a sensor to indicate itâs really you.
U2F provides the âsomething you haveâ factor to your login authentication, in-addition to your password (âsomething you knowâ).
What Do You Need In Order To Get Started With U2F?
There are 3 components to using U2F:
- A U2F device, such as a Yubikey, or Google Titan key.
- An operating system + web browser that supports U2F â most of the major browsers support U2F at this stage.
- A website/app that offers U2F support.
With ShieldPRO 9.1, the only thing remaining that you probably donât have is item #1 â a security key that supports U2F.
There are several types of keys available, but YubiKeys and Google Titan are probably the most popular.
If youâre going to buy one, we recommend getting one that supports U2F, FIDO2, OTP (One Time Passwords) and even NFC (as a bonus).
The type weâre most familiar with is the current Yubikey 5 series.
How Does WordPress U2F Authentication Work?
There are 2 simple parts that make up U2F support for your WordPress user profile, using Shield Security.
Part #1: Register Your U2F Device On Your WordPress User Profile
Assuming youâve enabled the U2F option within Shield (found under Login Guard > Hardware 2FA), youâll see a button in your WordPress user profile to register a new U2F device.
Click this button and the U2F registration process will begin.
Step #2: Sign-in With Your U2F Device
When you next sign-in to your WordPress site, Shieldâs standard 2FA page will prompt you to complete the sign-in with the same popup as shown in the video above.
![](https://assets.getshieldsecurity.com/onedollarplugin.com/uploads/2020/06/shield-security-2fa-u2f-login-page-1024x683.png)
Assuming it works as expected, youâll be logged-in completely to your account.
Using Multiple U2F Devices
If youâve ever lost your Google Authenticator codes, youâll know the hardship you face in regaining access to your accounts.
Itâs always good to have at least 2x 2FA options enabled on your user accounts.
We recommend either registering 2 separate U2F devices on your profile, or activating another authentication factor alongside your U2F key. This way if you lose a U2F device, you can always login with the other U2F device, or the other factor.
To this end, weâve built-in the ability to register as many U2F devices as you want. Thereâs absolutely no restriction.
Also, if you lose a U2F key, or decide to no longer allow access using a particular key, itâs easy to remove it from your profile.
Caveats With ShieldPRO 9.1 and U2F
This is a new implementation for us and itâs more complex than other 2-factor authentication options.
We test our code and our implementations thoroughly, but the sheer myriad of WordPress site configurations means you just never know when another plugin is going to mess with what you have.
To be sure that you donât get locked-out of your site because of a bug or interference by another plugin, weâre marking this feature as âexperimentalâ, for the moment.
This simply means: please use it, weâre committed to ensuring U2F login is available for Shield clients, but there may be unexpected problems that weâre unaware of.
It also means that you must have another 2FA factor enabled on your profile so that in the event thereâs a problem with U2F login, youâll be able to proceed with the alternative factor. Once weâre confident there arenât any surprise bugs, weâll remove this restriction in a future release.
This sounds like an inconvenience, but if youâre already using 2FA, there is no added work for you.
What about WebAuthn and FIDO2?
FIDO2 takes U2F even further and part of this is WebAuthn. It supersedes U2F, but FIDO2 devices are typically backwards compatible with U2F so getting a device that supports both U2F and FIDO2 would be best.
Shield Security for WordPress doesnât support WebAuthn, so you canât use your finger print scanner and such things (yet).
Assuming all goes well with our U2F implementation, weâll probably extend it to support WebAuthn in the future. As always, this is based on your feedback and suggestions. Speaking of whichâŚ
Comments, Feedback and Suggestions
We rely on your feedback to point us in the direction of where to take Shield and which features and functionality we should focus on.
If this is something you like, or youâd like to see enhancements and changes, please do leave us comments below. Every piece of feedback is informative and helps us greatly.
Thank you!
Hi,
With regards to two-factor authentication and the like, I’m wondering if a device’s MAC address could be used for authentication.
It’s unique to the device, but I don’t know if it’s easy for someone to spoof it.
Granted, it wouldn’t be as secure as true two-factor authentication and wouldn’t provide protection against someone stealing or taking over your device, but might it provide an intermediary step?
Just wondering.
Ken Dawes
Hi Ken,
Thanks for your question.
This isn’t possible. Device MAC addresses are only accessible within a local network and are not published over the Internet.
Jelena