Passwords have been our primary means of protection in the WordPress world for a really long time. However, with use of passwords becoming commonplace, more and more attacks on them have been successful. Making matters worse are users who think of obvious and easy-to-guess passwords or reuse the same password for multiple accounts. A practical way to strengthen authentication is to use a second factor of identification after the username/password stage. This technique is known as Two Factor Authentication. Apart from your password, two factor authentication requires you to have another type of credential before you gain access to your account.
Traditional two factor authentication solutions used hardware tokens that generated one-time passwords for the second stage authentication. However, these hardware tokens were highly inconvenient to use. It took time to distribute these tokens to the right people and track them continuously. They didn’t come cheap and were often lost or misplaced. Needless to say, there were high levels of frustration among users when it came to token based systems. Security agencies were quick to realize that using an existing device to achieve two factor authentication will be far more effective. So they decided to use mobile phones to communicate the one-time passwords. This reduced deployment and training costs, and improved the end-user experience in a big way.
There are many WordPress plugins that help you enable two factor authentication for WordPress without any fuss. Here are some of the popular ones.
Google is one of the earliest players to deploy two-factor authentication on a large scale. Quite naturally, the Google Authenticator plugin is the first choice to come up when you think of two-factor authentication. The plugin provides you two-factor authentication using the Google Authenticator app installed on your smartphone. If you are security aware, you may already have this app installed for two-factor authentication on Gmail/Dropbox/Amazon etc. With this plugin, two-factor authentication can be enabled on a per-user basis. You could enable it for your administrator account, but log in as usual with less privileged accounts.
Duo Two-Factor Authentication
The plugin is easy to setup and use, and provides the simplest form of two factor authentication. Once you install the plugin and signup for their service, you are all set. You also have the option to choose the user roles for which you want to enable two factor authentication – admin, author, editor, etc. You can download this free plugin from the WordPress plugin repository.
Clef Two-Factor Authentication
The plugin provides an easy-to-use and strong two-factor authentication using your smartphone. However, it is significantly different from other plugins in that it replaces passwords and one-time codes with something called a clef wave. The plugin stores your encrypted private key on your phone rather than in a central database. So even if the Clef servers are breached, your login credentials remain secure on your phone. Every Clef login requires two identification factors- your phone and a fingerprint or PIN. So even if your phone is lost or stolen, your login will be safe. It disables passwords for all three WordPress authentication avenues – Dashboard access, API access, and automatic password resets via email. Thus it protects your site against the full spectrum of password-based attacks.
Setting up this free plugin is quite simple. It primarily involves installing the plugin on your site, the clef app on your phone and syncing the wave on the phone with that on your screen. Once this is completed, the app will automatically register your WordPress site, and you’ll be able to login using your phone.
The plugin adopts a slightly different approach from that of Clef in not completely eliminating passwords altogether. Instead, it adds an extra layer of security known as trusted devices. Once you install and setup the plugin, you need add your computer as a trusted device. After this, only users visiting your site from a trusted device will be able to login. If you try and login to your admin account from any other device, you will be denied access, unless you add that device to the trusted devices list. But once a device is setup, you’ll never have to worry about it again.
Two-factor authentication is undoubtedly the wave of the future, and has already been implemented by some of the biggest companies around. With everyone accompanied by a smartphone these days, it is obviously the easiest way to secure your WordPress site.