You may have heard how important 2 factor authentication (also known as two-factor authentication or 2FA) is for securing your online accounts. Don’t be embarrassed if you find yourself asking “What is 2 factor authentication?” Don’t worry, not knowing puts you in a large group of users. By the end of this post, you will be a 2 factor authentication expert.
In this post, we’ll explain what 2 factor authentication is and what the different methods of 2fa are. You will learn how 2fa it is so effective at locking down your online accounts, particularly your WordPress admin login. Finally, we’ll teach you how to enable 2fa on your WordPress website.
What is 2 Factor Authentication or 2FA?
What is two factor authentication? 2 factor authentication is a process of verifying a person’s identity by requiring two separate methods of verification.
For example, most websites only require a username and password to log in. Your username and password is the first authentication method. But, when you enable 2 factor authentication, you will need an additional method of identification.
The Big Three 2FA Categories
You have likely used two-factor authentication without even realizing that you were providing a second form of identification.
2 factor authentiction includes three categories of identity verification:
1. Something You Know. Do you remember filling out security questions when setting up your online mortgage account? Something like Who is your favorite teacher? or What is your mother’s maiden name? These security questions are a form of 2 factor authentication by requiring answers you would only know.
2. Something You Have. This category requires you to have something physically in your possession–like your phone or a Yubikey–to prove your identity. For example, some two-factor authentication methods require a time-based code sent to a specific device via a 2FA app.
3. Something You Are. You may not know the name, but if you have a smartphone, you have probably used biometric authentication to log into your phone. Biometric authentication requires a unique biological characteristic to authenticate your login. If your phone has a fingerprint scanner or Face ID, you are using biometric authentication every time you unlock your phone.
Why You Should Use 2 Factor Authentication
Did you know that 81% of company data breaches are due to using weak passwords? You may not realize that your security is only as strong as your weakest link, so if you’re using weak passwords or duplicating passwords across various online accounts, you’re at risk for an account breach.
Using a unique password for every account is something that everyone should do, but as we move more of our work online, it becomes more of a hassle. Understandably, people just want to get their job done, and logging in is an obstacle in their way. So, well-intentioned people end up using the same password for every site.
That’s where password managers come in. I personally use LastPass to create a secure and unique password for every online account or website I use. You can read a bit more on why you should use a password manager.
The Different Methods of 2 Factor Authentication
There are several different methods of 2fa to choose from, but not all are created equal. Some methods are going to be more secure than others.
Let’s go over some of the standard methods of 2 factor authentication.
With the email method of 2fa, you will be supplied the code via an email notification. You’ll used the code delivered to your inbox as your secondary code to login.
The SMS method of 2 factor authentication will deliver a code via an SMS text message to your mobile device.
Although SMS text is one of the most common options for 2 factor authentication, it is one of the least secure.
The National Institute of Standards and Technology has even recommended deprecating the SMS method.
Why? Hackers can easily intercept text messages using a sim swap scam. Once someone changes the device that the number belongs to, they will be able to receive the two-factor codes.
3. Mobile App
The mobile app option of 2FA will deliver time-based one-time passwords or TOTP codes using a two-factor authentication mobile app.
TOTP is a very secure way of authenticating users on your site. Once you sync the site with your preferred app, an algorithm will verify the time of day of the site and the device the has the app installed. If the times match, then a one-time use code generates, and will typically expire after 30 seconds.
4. FIDO U2F USB Keys
The goal with these is to simplify 2 factor authentication by adding the security key to a USB stick. The USB authenticates your identity and removes the need to enter a code on each login. Even though it is more convenient than other 2 factor methods, it is still very secure because you still need to have an additional physical device to log in.
As a bonus method, any Android device running Android version 7.0 or higher is now a security key.
5. One Time Use Recovery Codes
One time codes are typically supplied as a list of codes to download. Each code can only be used once. Therefore, this method should be reserved as a backup.
2 Factor Authentication For WordPress
If you’re a WordPress website admin, you should know that the WordPress login is the most commonly attacked part of any WordPress website. Why? WordPress, by default, doesn’t limit login attempts, so WordPress brute force attacks are a common problem.
It is far too easy to create a bot that scours the internet blindly trying to brute force its way into any site. Or you can just use one of the thousands that have already been made. For nefarious actors, the internet has got you covered with ways to attack WordPress websites.
To make matters worse, database dumps filled with usernames and passwords are easy to find. Did you know that MEGA hosted a database dump with 772,904,991 unique email addresses?
If you have any admin users that reuse the same username and password for every site, your site could be at risk. If one of their accounts is part of a credentials dump, anyone can start using their credentials. It’s scary, but now everyone now has admin access to your site.
Now that everyone has admin privileges to your site, they can use your website for advertising Viagra, redirect your traffic to their shady sites, steal your customer’s data or even take your site hostage and demand that you pay their ransom.
Force Privileged Users to Use 2FA
You can’t prevent people from reusing passwords on your website. However, you can require them to use an additional form of authentication along with their secure password.
If you don’t require 2fa for people making edits to your website, you are doing it wrong. You are putting your site at risk. I hope you noticed that the onus is on you to secure the site. We evolved to take the path of least resistance–91% of people know that they shouldn’t reuse passwords, but 59% still choose to reuse their passwords everywhere. Help out your users by not letting them be a security vulnerability on your site.
2 Factor Authentication For Everyone
As privacy concerns are heating up on a global scale, you should think about allowing your site’s subscribers and customers an option to add 2 factor authentication to their accounts.
Customer accounts can hold sensitive information like email addresses, phone numbers, and addresses. Using this information someone could perform a sim swap and gain control of your customer’s phone number. Phone numbers have become IDs. Once someone controls your number, they may be able to control your identity.
Even though their account getting hacked won’t necessarily be a security concern to your site, it can cause a whole world of hurt for your customer. Give them a chance to add a layer of security to protect themselves,
How to Add 2 Factor Authentication To Your WordPress Website
You can add 2 factor authentication to your site using a WordPress security plugin like iThemes Security Pro.
The iThemes Security Pro plugin has three different methods of 2fa. You can select 2fa methods to use and set a primary method from the user profile page:
- Mobile App
- Backup Codes
The User Type Protection option will force specific user roles to use 2fa. To reiterate, people will often choose the path of least resistance. You are helping them not become a security vulnerability, which is a win-win for everyone.
iThemes Security Pro even has a helpful 2fa onboarding feature. When enabled, iThemes Security will guide your people through the 2 factor configuration the next time they log in.
The idea is to make it easy for people to lock down their accounts. Forcing privileged users to use factor will make it easy for them to contribute to the security of the site.
2 Factor Authentication is the Best
To sum up, there is nothing else you can do that is as easy as adding 2fa to your WordPress login that will do more to secure your site. If you aren’t currently using two-factor, add it to your site right now.
A WordPress Security Plugin Can Help Secure Your WordPress Website
iThemes Security Pro, our WordPress security plugin, offers 30+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress two-factor authentication, brute force protection, strong password enforcement and more, you can add an extra layer of security to your website.
Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.