Best two-factor authentication (2FA) for Wordpress

November 25, 2016 by Paulina BudzoƄ

When securing your Wordpress installation, there’s an abundance of tasks to be performed. One of them, and a very important one, is enabling two-factor authentication for all users. Most popular way of doing that is by using a plugin that works with smartphone apps, like Google Authenticator - but from what I saw those are either quite poor or require a payment to use for more than one user. Recently, a new player has come to the scene, and they’re making quite a stir.

I’m talking about “two-factor” created by George Stephanis and friends. This plugin, actively developed and completely free, is the best two factor authentication plugin for Wordpress available at the moment. It supports multiple 2FA methods: email, google authenticator, FIDO security keys and backup codes (a pre-generated list of one-use codes).

two-factor-setup

Now, this plugin is still in very active development (they even have a GitHub issue “We need a logo”), but it works well. The email and google authenticator options work perfectly and I didn’t need to use the backup codes option so far.

As far as I know, this is the only plugin which allows you to login to Wordpress using your FIDO U2F key ( like yubikey - my personal favourite!). That only works in newer versions of Chrome (since no other browser has support for it, yet) - there’s also a U2F add-on for Firefox, which works great, but because the plugin uses User-agent detection, it won’t allow you to use your key for U2F in Firefox (unless you change your User-agent with… another add-on). There’s an open GitHub issue for a better U2F support detection, so if anyone wants to contribute… :) Still, if you’re a Chrome - user your U2F device will work like a charm!

The plugin is available on wpackagist, so to use it, you can simply add it to your composer.json:

1
2
3
4
"require": {
    ...
    "wpackagist-plugin/two-factor": "*"
}

Since the stable version haven’t been officially released yet, you’ll have to change the minimum-stability in your general composer options:

1
2
 "minimum-stability": "dev",
 "prefer-stable": true,

Or, if you’re old-school Wordpress user and prefer to upload your plugins manually, you can download it from Wordpress.org: wordpress.org/plugins/two-factor/

Posted in: Security Web development