Security is a major concern for webmasters. Strong passwords are a good way to keep people out of your admin panels, but it isn’t enough. Passwords can be cracked or stolen. You need another layer, one that makes it much harder for the bad guys to get into your stuff. That’s where Two-Factor Authentication comes in.
Two-Factor Authentication Explained
Two-factor authentication may sound complicated but it’s actually very simple. I’ll explain it in two different scenarios.
Let’s say you want to log into your website dashboard. You pull up your login form, then enter your username and password. Hit enter and you get in. The trouble is that if anyone gets your login credentials, they can do the same thing.
If you are using two-factor authentication, you have an additional step to follow. Once you enter your login credentials, you must then perform another action to prove that you are actually the person who should be allowed access. One popular method is to have your site send a text message to your phone. The text message will contain a secret code that you must enter in a form on your site. If what you enter matches what was sent, you are allowed access.
The idea behind two-factor authentication is that while someone may get your login credentials, it’s less likely that they will have your login credentials and your authentication device (your phone in this case). If they can’t enter the authentication code, they can’t get in.
Two Factor Authentication for WordPress
Adding two-factor authentication to your WordPress installation is pretty easy. There are multiple plugins that offer a reliable two-factor authentication system. Let’s go over a few of our favorites.
The Google Authenticator plugin for WordPress provides two-factor authentication for all of the users on your WordPress site. It works with the Google Authenticator app for Android and Apple mobile devices. The plugin asks for the code the Authenticator app provides, one which automatically generates and expires on its own. If you enter the correct code, you get in.
With the Google Authenticator plugin for WordPress, two-factor authentication can be enabled/disabled on an individual user basis. This is useful for sites that may members who don’t own an Android or Apple mobile device.
Duo is a company that provides an advanced two-factor authentication system that can be used across almost any platform. It is capable of working with tons of applications to secure email systems, websites, or even server logins. And that is barely scratching the surface of what their system can secure.
Duo provides a plugin for WordPress that interacts with the Duo system. After you try to log into your dashboard, the mobile app provides a quick push button option to automatically accept your login attempt. No need to provide a code.
For those who can’t use an app, Duo can send a code via text message or call your phone. You will need to sign up for a free account on the Duo website to authenticate with.
With Duo for WordPress, you will also have to follow a setup process that is certainly a lot more involved than the other two-factor authentication plugins in this list. This may be the reason why the plugin has such a low user count, despite being such a great system.
Clef is an amazing system that does two-factor authentication differently than its competitors. Unlike many systems that want you to enter a code, Clef provides a weird moving barcode that you must scan with your mobile device. The app uses this barcode to verify who you are. It also provides a timer to automatically log you out after a length of time you set each time you log in. This helps keep you secure by kicking out your session if you happen to forget to log yourself out.
Like Duo, Clef users will need to sign up for a free account in order to use the system. The app is incredibly easy to use (seriously, just open it and point the camera at the barcode). The Clef WordPress plugin currently lives on over 900,000 websites.
If you’re concerned about security (and you should be), I recommend that you take a look at using two-factor authentication. It can help protect your logins and keep out the bad guys.