WordPress Two-Factor Authentication
A problem with enforcing strict security for users is that it may create a complicated and labyrinthine environment. This results in frustration and irritation causing users to even seek services elsewhere that do not have such stringent login policies. Conveying a clear reason as to why such measures are in place will help users understand a strict login procedure. The WordPress Two-Factor Authentication process is in place to protect a user’s account details and data. It is not just to create a simple idea of security at a website. Striking a balance between minimizing risk and not annoying customers should always play a role in general online security.
Why WordPress two-factor authentication helps
What adds to the complicated process is that most firms know that passwords are no longer enough to secure vital data. WordPress is a popular Content Management System and many security firms are strongly encouraging two-factor authentication. This is especially important with the WordPress login method. From the start, WordPress by default allows as many login attempts as possible. (Brute Force Protection helps limit this risk significantly.)
A WordPress security service such as iThemes security offers several options for two-factor login authentication.
The smartphone way
The first WordPress Two-Factor Authentication method available is via an installed app on a smartphone. Many people already have them, eliminating the need for additional (and in many cases, expensive) hardware. One such example is smart cards or ID’s that other firms have tried to use; some successfully and some not so much. Smartphones are almost always in peoples possession at all times of the day. There is no need to remember to bring the second part of the hardware link to gain access to a much more secure system. (Apple and Samsung have taken this one step further by including a bio scanner for logins.)
Install a Time-Based One-Time Password (TOTP) app. This provides the additional authentication required to access a secure site. There is support for Android and iOS smartphones so there is very high compatibility among nearly all smartphones. For iThemes security, the app will need to be a TOTP app where the randomly generated password is temporary and will expire if not used within a certain amount of time.
The recommended WordPress Two-Factor Authentication apps for Android and iOS devices are Authy, Toopher, Google Authenticator or FreeOTP Authenticator as the most popular token generators.
Codes sent via email
The second and slightly less secure method but still a WordPress Two-Factor Authentication method is a second login code sent via email. Many financial institutions like to employ but via text message to a smartphone. After a successful login with the usual username and password, the user receives a code in their email address. They use this code in order to complete the login process.
However, make sure the user has access to the email account WordPress will be sending it to or login will not be possible. It is the same email address used for administrative notices for such things as new account details, password resets etc. To make certain, choose the “lost password” function within WordPress, enter details and ensure the password reset email is received. If not, make the necessary changes before implementing this two-factor login process.
Backup verification codes
There is also still one final option in case there is a problem logging in and the above-mentioned methods are not allowing access for some reason. This is the Backup Verification Code option within WordPress using the iThemes WordPress security option. Verification codes are created once and kept in a secret place such as printed out on paper and stored away somewhere safe. Once the codes are generated they will not be shown again, ever.
Double the security
Two-factor authentication simply and very importantly negates the need to have to rely on a single login process. An unauthorized outside party has access to a system as soon as they obtain the password. The two-factor authentication prevents this from happening. Users need the code to obtain access, such as via a smartphone, email address or a Backup Verification Code as mentioned earlier.
Security as a whole on any secure system should always be based on the weakest link in the chain.
The hard part
The more difficult part of the two-factor authentication system may involve communicating to all end-users how the system works. They need to know how to be able to receive the second part of the login process. If they have trouble they can resolve the issue on their own.
Again, creating a secure system that burdens users may cause frustration and irritation. This results in several outcomes such as:
- moving to another provider,
- users creating very basic easy to remember passwords
- solely relying on the BVC option and storing them in a very insecure place.
Creating a balance and explaining why such procedures are in place may help as well as explain that if a system becomes compromised what the consequences are.
Explaining the process
Give priority to clients who request assistance with their login issues to help minimize frustration. This is especially true when they are not as informed about why such security measures are in place. A user, for example, may not know why they cannot access their account because they are accessing it from a different physical location than usual, especially if they are traveling abroad.
As WordPress Two-Factor Authentication improves, the process will become easier. This holds especially true on the app side of the process. Some two-factor authentication app developers are creating apps that no longer require a passcode that needs to manually be typed in. Instead, they offer a swipe solution to accept or deny to proceed with a login. The smartphone app process also involves an “out-of-bounds” authentication which is separate from the Internet username/password network thus strengthening the security process even further.