Two-factor authentication (2FA) is a system of access control where two different methods are used to authenticate a user of a WordPress website, or any application. 2FA is a common type of multi-factor authentication, which combines two or more methods to authenticate a user.
Authentication is a means of validating a user before granting them access to an application based on their access levels. All methods of authentication rely on the use of one or more of the following:
- Something you know: This is used by a user to prove they are who they claim they are based on a shared secret (for example, a password). When a user enters a password, WordPress compares this with the password for that username it already has in its database. If they match, access is granted.
- Something you have: A user is validated after proving they possess a device, such as a mobile phone, that is already associated with the user’s account within WordPress. The user enters a code or pin generated by the device or received from WordPress via, for example, SMS text or email.
- Something you are: A user is authenticated based on some biometric information. Examples include fingerprint scan, retina scan and voice scan.
Combining two or more of the above methods in a single authentication system is what makes multi-factor authentication. Two or more factors of authentication provide extra hurdles an attacker must overcome to bypass an authentication system.
WordPress already uses the Something you know method via password authentication. To use an extra authentication method you need to install a plugin. This tutorial will take you through how to use Google Authenticator with WordPress.
Google Authenticator on Your Smartphone
Google Authenticator is an application that you install on your smartphone (or tablet). The application is available for android devices via Google Play, and for Apple devices via the Apple App Store.
The app works by continuously generating new code every given time interval, usually every 30 seconds. When a user tries to log in into your website, WordPress requests an additional information to be provided; a 6-digit code generated by the Google Authenticator app on your smartphone.
After the user enters the 6-digit Google Authenticator code, WordPress generates a similar code using an algorithm known as the Time-based One Time Password (TOTP) algorithm. It is the same algorithm used to generate the 6-digit code by the Google Authenticator app on your smartphone.
WordPress and the app on your smartphone share a common secret key generated during the setting up of Google Authenticator on WordPress. More on that later.
That shared secret is what is used by the algorithm to generate the 6-digit code that changes every 30 seconds. Therefore, all applications running the same TOTP algorithm using the same shared key should generate the same 6-digit code within any given time interval.
The applications, in this case WordPress and the Google Authenticator app, need not be connected in any way (eg. via internet).
WordPress compares its own 6-digit code it generated with the one provided by the user. If they match, the user is authenticated.
Integrating Google Authenticator with WordPress
From your WordPress administration area, go to ‘Plugins‘ -> ‘Add New‘. Search for ‘Google Authenticator‘. From the results, look for the plugin by Henrik Schack. Click ‘Install Now‘ to install. Click ‘Activate‘, to activate.
While at it, you should also install and activate Google Authenticator – Per User Prompt by Iann Dunn. This plugin ensures the Google Authenticator code field in the WordPress login form is shown only to users who have activated Google Authenticator for their profile.
The Google Authenticator plugin adds settings to every registered user’s profile settings screen, under ‘Users‘ -> ‘Your Profile‘ menu item.
Head over to Your Profile settings screen and scroll till you see the Google Authenticator Settings section. Click on the Active checkbox to tick. Don’t worry; it won’t be activated until you actually save your profile settings.
You may use your profile’s email address for the Description field, or use the default given. Click on the Show/Hide QR code button to open the QR code ready for scanning with your phone.
From the menu of the Google Authenticator app on your smartphone, select Set up account. Select Scan a barcode. You should have a QR code scanner app installed on your smartphone, or the Google Authenticator app would prompt you to install one from the app store.
After installing a QR code scanner app, relaunch the Google Authenticator app and repeat the process outlined in the previous step. Point your camera at the computer screen making sure to align the QR code generated in your WordPress admin with the outline of the scan area of the QR scanner app.
After a few seconds, the QR scanner would indicate a successful scan, usually with a short vibration of the smartphone. The Google Authenticator app would add your new account to the app. You should see the description you entered under the Google Authenticator Settings in the list of accounts within the Google Authenticator app on your smartphone, with the TOTP code below, updating every 30 seconds or so.
If you would not like to use the QR code, you may select Enter provided key from the menu of Google Authenticator app on your smartphone, and enter the code provided in the Secret field of the Google Authenticator Settings in your WordPress profile page.
Scroll to the bottom of your WordPress profile settings screen and hit the Update Profile button to update your profile settings.
That’s it! The next time you log in into WordPress, you would be presented with the usual login screen. After correctly entering your username/email and password, hit the Log In button.
After WordPress verifies that your username/email and password combination is correct, a second form pops up requesting for your Google Authenticator code.
Enter the TOTP code from the Google Authenticator app on your smartphone and hit the Log In button. Be quick, as the code changes every 30 seconds. There’s a timer in the Google Authenticator app on your smartphone to indicate how many seconds are left until the current code is invalidated.
You would be taken to the dashboard after WordPress verifies the code you entered is correct.
Two-factor authentication greatly limits the probability of a successful authentication attack on your website, making your WordPress installation more secure. It is highly recommend for every WordPress user.
If you find yourself locked out of your account due to incorrect TOTP code, or as result of losing your smartphone, simply remove the Google Authenticator plugin from the WordPress plugin directory via FTP.
If you are on managed WordPress hosting without direct access to the filesystem, ask your web host, via their support portal, to do that for you.