Release Note: Encryption Added to Two-Factor Codes in iThemes Security Pro

With the latest release of iThemes Security Pro, we have added encryption to protect the two-factor authentication (2FA) codes used for multi-factor login authentication. To ensure that your site is using this new functionality, upgrade to iThemes Security Pro version 7.2.2 in your wp-admin plugin dashboard.

As with any new feature, we’re certain there must be questions about the new feature and why we’ve added it. In this post, we detail what change we’ve made, why we’ve chosen to add additional security features to two-factor authentication, and some thoughts on the current state of WordPress login security as a whole.

What does this change in two-factor authentication code storage entail?

iThemes Security supports three types of Two-Factor authentication methods: Mobile Apps, Email, and Backup Codes. They each function a little bit differently.

When you use Email 2FA, iThemes Security generates a random eight-digit code and emails it to you. We store what’s called a “hash” of this random code in the WordPress database. A hash lets us verify if you gave us the same eight-digit code that we stored in the database.

However, iThemes Security can’t “decode” the hash back into the original eight-digit random code. This is why if you ask iThemes Security to “Resend” the 2FA email, we generate a new random code instead of resending you the same 2FA code we sent in the first email.

This is similar to how WordPress can verify whether your password is correct. But if you forget your password you have to create a new one, WordPress can’t send you your current password.

Mobile Two-Factor is different. A new code appears in your Mobile App every 30 seconds. Does that mean iThemes Security is saving each new code to the database? No, instead iThemes Security uses the concept of a “shared secret”.

When you set up Mobile Two-Factor in iThemes Security we show you a QR code that contains a secret key unique to your account. Scanning the QR code in your Two-Factor app copies the secret key to your phone.

When you log in using your Mobile App, iThemes Security and your phone each generate a six-digit code based on the “shared secret” key. If the codes match, you’re in!

Unlike Email-based Two-Factor where we only need to store a hash, this means we must store the Mobile App secret key in a way that gives us access to the plaintext.

The vast majority of two-factor authentication plugins and services for WordPress are storing two-factor secret keys in the WordPress database, and iThemes Security is no different. These codes must be stored so that when a user enters their 2FA codes from their authentication app on their phone or device, the security plugin can match these codes to authenticate the user trying to log in.

Storing these codes in the database has been the most secure way of doing so, as any information stored in the database can only be accessed by a database user and their password. These credentials are stored in your WordPress wp-config.php file, and this allows your WordPress site to access information in this database.

While there are a few services that use a file-system-based approach for 2FA codes, iThemes Security and most other major two-factor authentication services have opted for the more secure database storage method.

For additional security, we’ve added encryption to these codes stored in a site’s WordPress database. In the event that the database is somehow compromised by another vulnerability, this added encryption adds another layer of security to protect the WordPress site from any number of login-based attacks that could be combined with other vulnerabilities.

Why we chose to add this feature

If a WordPress website is adequately secured, the probability of the two-factor authentication codes being exposed is low. However, in the event that there is a hosting provider service level vulnerability where database access is compromised or if there is a zero-day vulnerability actively exploited in a plugin or theme, unencrypted two-factor authentication codes could be used in combination with another vulnerability.

At iThemes, the security of our customers’ WordPress websites is of critical importance to our business. As such when even an edge-case vulnerability scenario comes to our attention, our first response and priority is the security of those sites.

Our goal is to make your WordPress site secure at every juncture, so that any aspect of your site, from your files and database to your login procedures, are all protected from malicious attackers. Effective defense from attack requires that all aspects of WordPress are adequately secured.

What is Two-Factor Authentication?

Two-factor authentication (2FA) is a type of multi-factor authentication (MFA) that strengthens access security by requiring two verification methods to authenticate your identity on a system, in this case a WordPress site. These factors can include something you know, such as your username or email and your password, along with something you have, like access to your device with an authentication application to authenticate you or determine that you are who you are. Authentication apps such as Google Authenticator generate a time-based one-time password that changes minute by minute.

Passwords are not enough

Two-factor authentication is increasingly important as phishing attacks, social engineering attacks, password brute force attacks, and password reuse problems have meant that single password-only authentication is simply no longer enough.

It is due to problems like this that innovators like iThemes Security have added passkeys for truly passwordless logins using biometric authentication and private/public key cryptography to create more sophisticated authentication protocols to protect mission-critical systems. Passwords are broken so iThemes Security Pro was the first WordPress security plugin to allow for passwordless authentication with passkeys.

With passkeys, the storage of two-factor authentication codes is a non-issue as the private/public key cryptography makes both passwords and 2FA obsolete.

If your WordPress website truly is mission-critical to your business or organization, using iThemes Security demonstrates your commitment to securing that asset. Ensure that you offer friction-free passwordless logins and encrypted two-factor authentication capabilities to demonstrate to your stakeholders your organization’s commitment to security-conscious website implementations.

If you are not yet using iThemes Security Pro, you can get the Pro version of the best WordPress security plugin available by purchasing via the link below.

Thank you to Calvin Alkan for responsibly disclosing the issue to us.