Secure WordPress login with Two Factor Authentication - supports WP, Woo + other login forms,…
Secure WordPress login with this two factor authentication (TFA / 2FA) plugin. Users for whom it is enabled will require a one-time code in order to log in. From the authors of UpdraftPlus – WP’s #1 backup/restore plugin, with over two million active installs.
Are you completely new to TFA? If so, please see our FAQ.
Features (please see the “Screenshots” for more information):
This plugin uses the industry standard TFA / 2FA algorithm TOTP or HOTP for creating One Time Passwords. These are used by Google Authenticator, Authy, and many other OTP applications that you can deploy on your phone etc.
A TOTP code is valid for a certain time. Whatever program you use (i.e. Google Authenticator, etc.) will show a different code every so often.
This plugin began life in early 2015 as a friendly fork and enhancement of Oscar Hane’s “two factor auth” plugin.
This plugin requires PHP version 5.3 or higher and support for either php-openssl or PHP mcrypt. The vast majority of PHP setups will have one of these. If not, ask your hosting company.
If you want to add a section to the front-end of your site where users can configure their two-factor authentication settings, use this shortcode: [twofactor_user_settings]
Basically, it’s to do with securing your logins, so that there’s more than one link in the chain needing to be broken before an unwanted intruder can get in your website.
By default, your WordPress accounts are protected by only one thing: your password. If that’s broken, then everything’s wide open.
“Two factor” means adding a second requirement. Usually, this is a code that comes to a device you own (e.g. phone, tablet) – so, someone can’t get into your website without getting hold of your device. You can get a longer answer from Wikipedia.
Sometimes it is also called multi-factor authentication instead of two-factor – because someone could secure their systems with as many factors as they like.
Since “two factor authentication” just means “a second something is necessary to get in”, this answer depends upon the particular set-up. In the most common case, a numeric code is shown on your phone, tablet or other device. This code be sent via an SMS; this then depends on the mobile phone network working. This plugin does not uses that method. Instead, it uses a standard mathematical algorithm to generate codes that are only valid once each, or for only for 30 seconds (depending on which algorithm you choose). Your phone or tablet can know the code after it has been set up once (often, by just scanning a bar-code off the screen).
This depends on your particular make of phone, and your preferences. Google have produced a popular app called “Google Authenticator”, which is a preferred option for many people because it is easy to use and can be set up via just scanning a bar code off your screen – follow this link, and ignore the first paragraph that is talking about 2FA on your Google account (rather than being relevant to this plugin).
Many and various devices and programs can generate the codes. One option is an add-on for your web browser; for example, here are some apps and add-ons for Google Chrome. Wikipedia lists various programs for different computers.
If your pass-code used to work, but no longer does, then check that the time on your device that generates them is accurate.
If you cannot get in and need to disable two-factor authentication, then add this to your wp-config.php file, using FTP or the file manager in your hosting control panel:
Add it next to where any other line beginning with “define” is.
Alternatively, if you have FTP or cPanel access to your web hosting space, you can de-activate the plugin; see this article.
If someone has access to your email account, then they can send a password-reset code there using the password-reset mechanisms built into WordPress. Therefore, if the two-factor code was also sent there, then ability to read your email allows the breaking of both factors, and hence is no longer truly two factor authentication.
Some users might have two factor authentication on their email account, but this is not knowable or controllable from inside WordPress, and so giving this option to users means that the administrator cannot see or enforce two-factor authentication. And even in this case, email is often sent between servers unencrypted, and so is susceptible to man-in-the-middle attacks beyond the control of WordPress.
These are the names of the two mathematical algorithms that are used to create the special codes. These are industry-standard algorithms, devised by expert cryptographers. HOTP is less popular, but the device that generates the codes does not need to know the correct time (instead, the codes are generated in a precise sequence). TOTP is much more popular, and generates codes that are only valid for 30 seconds (and so your device needs to know the time). I’d recommend TOTP, as HOTP can be annoying if something causes the sequences to get out of sync.
You have a password manager extension installed in your web browser, with the correct password entered in it. It has automatically replaced your wrong password with the right one from its saved store. This behaviour has been observed and confirmed by several users. You can verify it by using the web developer tools in your browser to look at the HTTP data sent to WordPress, and observe which password is actually in it. You can also open a fresh web browser with no such extension in it to re-test.
Note that the two factor authentication plugin has no mechanism to compare or approve passwords; this is done by WordPress core. If the wrong password is sent, then this is handled by WordPress, and the login will not proceed.
User settings (dashboard)
User settings (front-end, via shortcode)
Regular WP login form requesting OTP code (after successful username/password entry)
WooCommerce login form requesting OTP code (after successful username/password entry)
What the user sees if opening a wrong OTP code on the regular WP login form
What the user sees if opening a wrong OTP code on the WooCommerce login form
Where to find the site-wide settings in the dashboard menu
Where to find the user's personal settings in the dashboard menu
Emergency codes (Premium version)
Adjusting other users' settings as an admin (Premium version)
Building your own design for the page with custom short-codes (Premium version)