Solid Security Pro Feature Spotlight – Two-Factor Authentication

In the Feature Spotlight posts, we highlight a feature in Solid Security Pro and share a bit about why we developed the feature, who the feature is for, and how to use the feature.

Today, we are going to cover Two-Factor Authentication, a proven method to secure and protect your WordPress site.

Why You Need Two-Factor Authentication for Your WordPress Site

According to the Verizon Data Breach Investigations Report, over 70% of employees reuse passwords at work. But the most important stat from the report is that “81% of hacking-related breaches leveraged either stolen or weak passwords.”

The “Collection #1″ Data Breach that was hosted on MEGA included 1,160,253,228 unique combinations of email addresses and passwords. This kind of score will provide a malicious bot with over a billion sets of credentials to use in brute force attacks. A brute force attack refers to a trial and error method used to discover username and password combinations to hack into a website.

All of these reasons and more should make you want to add another layer of protection to your WordPress login.

Even if you use a password manager like LastPass to create strong and unique passwords for each of your accounts, you still need to consider other administrator and editor users on your site. If an attacker was able to compromise one of their accounts, they could still do damage to your website.

Fortunately, there is a method to secure your WordPress user accounts: two-factor authentication.

What is Two-Factor Authentication?

Two-factor authentication is a process of verifying a person’s identity by requiring two separate methods of verification. Google shared on its blog that using two-factor authentication can stop 100% of automated bot attacks.

Two-factor authentication uses different categories of identify verification:

1. Something You Know. Do you remember filling out security questions when setting up your online mortgage account? Something like Who is your favorite teacher? Or What is your mother’s maiden name? These security questions are a form of two-factor authentication by requiring answers you would only know.

2. Something You Have. This category requires you to have something physically in your possession–like your phone or a Yubikey–to prove your identity. For example, some two-factor authentication methods require a time-based code sent to a specific device via a 2FA app.

3. Something You Are. You may not know the name, but if you have a smartphone, you have probably used biometric authentication to log into your phone. Biometric authentication requires a unique biological characteristic to authenticate your login. If your phone has a fingerprint scanner or Face ID, you are using biometric authentication every time you unlock your phone.

Requiring an added another method of identity verification to log into your website would block all automated brute force attacks and help protect you if there is a Broken Authentication vulnerability on your website. A Broken Authentication vulnerability can allow an attacker to compromise a user or user’s passwords, keys, or session tokens to take over the user’s accounts.

How to Use Two-Factor Authentication in Solid Security Pro

To get started with Two-Factor Authentication, navigate to the security settings’ Features menu and enable the Two-Factor.

Now, let’s take a closer look at the Two-Factor settings.

Authentication Methods Available to Users – The settings let you choose which of the three authentication methods you will allow people to use.

The three authentication methods provided by Solid Security Pro:

1. Mobile App – The mobile app method is the most secure two-factor authentication method provided by Solid Security Pro. This method requires you to use a free two-factor mobile app like Authy.
2. Email – The email method of two-factor will send time-sensitive codes to your user’s email address.
3. Backup Codes – A set of one-time use codes that can be used to log in in the event the primary two-factor method is lost.

Alright, let’s move on to the rest of the two-factor settings.

• Force Two-Factor Authentication – This option allows you to require users in a specific user group to use two-factor authentication.
• Disable Two-Factor Onboarding – This setting allows you to disable the two-factor authentication on-boarding for certain users. We will cover the 2fa onboarding in more depth later in the post.
• Vulnerable User Protection – When enabled, this setting will require all users to use two-factor when logging in if the site is vulnerable, such as running outdated or software known to be vulnerable.
• Disable on First Login – When you enable the Force Two-Factor Authentication feature for specific User Groups, they will be required to enter the two-factor token sent to their email address the next time they log in. Enabling this setting will simplify the onboard flow when users first log in.
• On-board Welcome Text – This allows you to customize the text people see when they start the two-factor onboarding flow.

Two-Factor Onboarding

We created the two-factor onboarding to create a user-friendly way for people to set up two-factor on their accounts when they log in. After you enable two-factor authentication, every user will be guided through the onboarding process. You can disable two-factor onboarding for specific user groups in the two-factor settings.

Alright, let’s walk through the logging-in and the two-factor onboarding process step by step.

Just like normal, the first thing you will see is the login form. Enter your credentials and click the Log In button.

If you follow our recommendations and enable the force 2fa requirements for privileged users, the next thing you will see is a place to enter the two-factor token sent to your email address. Open the email, copy and paste the token, and then click the Log In button.

On the next screen, you will be presented with the onboarding welcome text. Keep in mind that you can customize this in your two-factor settings. Click the Continue button to move on to the next step.

The next step is to select which two-factor methods you want to enable for your account. Click on the Backup Codes arrow to generate a list of backup codes to use if your primary method of authentication fails.

Now click the Download button to download a text file of your backup codes. Be sure to store these codes somewhere safe.

Now click the Back link to return to the previous screen. Now, let’s click on the Mobile App arrow to enable and configure this method of authentication for our user.

Now, choose your mobile OS and then open your mobile two-factor app on your phone.

From your phone, scan the QR code to continue to link the secret to your mobile app.

Now enter the 6-digit code from your phone into your web browser and click Verify to finish the mobile app setup.

Alight, now that you have two-factor all setup, click the Continue button to finish logging into your WordPress dashboard.

Wrapping Up

To sum up, there is nothing as easy and secure as adding two-factor authentication to your WordPress login. If you aren’t currently using two-factor, add it to your website now and start protecting yourself against automated attacks.