Back in 1995, in one of his shows, David Letterman asked a much-younger Bill Gates “What about this internet thing, know anything about that?” While this might sound funny now, we have to acknowledge the immense growth the internet has experienced over the past few years.
Since then, the internet has evolved from ‘ this internet thing’ to this internet everything. We order groceries and take-outs, book holidays to countries we didn’t know existed 5 minutes ago, watch movies, bank, work, speak to anyone anywhere in real-time, and a million other things.
While, in retrospect, it can be hard to imagine life without the internet, it does bring with it a whole new set of issues that did not exist before. Privacy and security become big concerns in a world that is largely accessed with a username and a password.
Many share concerns about how secure their data is. To counteract this, governments and regulatory bodies have sought to establish specific rules and best practices to ensure basic security requirements are met. Due to this, those operating within the internet space need to make sure that they take reasonable steps to implement more robust security measures.
Table of contents
What is 2FA?
In a world where someone’s identity is unlocked with a username and a password, an additional authentication layer can add a layer of much-needed protection. This is where 2FA comes in, requiring an additional authentication step through a secondary authentication factor.
While two-factor authentication (2FA) might sound like it’s a very new thing, it has been around for some time. Home alarms and ATMs are two prime examples that use 2FA, since you need to have something (a house key and an ATM card, respectively) and know something – a PIN.
When using 2FA on WordPress websites, we need to know something – our username and password, and have something -such as a phone that will receive a code. This makes it less likely for someone looking to break into your account to do so successfully since aside from your password, they would also your phone and your face or finger, which are more difficult to steal without you noticing.
Who should implement 2FA?
If you have a WordPress website, you have at least one user account. Many websites have several users, be it staff, contributors, and customers. Protecting those user accounts should be a top priority as a security breach can seriously damage your website and business, in some cases irrevocably so.
There are also many acts, regulations, and standards that website owners need to comply with. This applies whether it’s the jurisdiction you operate from or a jurisdiction you want to operate in. With the internet being international by design, the more regulations you comply with, the more markets you can open yourself up to, growing your website and your business in the process.
To this end, we thought it might be worth the while to visit some of these frameworks and see how implementing 2FA for your WordPress website can help.
GLBA – Gramm-Leach-Bliley Act (1999)
Jurisdiction: US
Sector: Financial products and services
The Gramm-Leach-Bliley Act is a US Federal law that falls within the remits of the FTC. Also known as the Financial Modernization Act, it requires companies operating with the financial products and services sector to explain to customers how they share their data and make sure that sensitive information is adequately protected.
When it comes to protecting sensitive data, the act stipulates several provisions, including having technical safeguards to access customer information. This is where 2FA can come in handy as it allows for a more secure login process due to the additional authentication factor in place.
SOX – Sarbanes-Oxley Act (2002)
Jurisdiction: US
Sector: US public companies, foreign companies, and auditing firms that meet criteria
The Sarbanes-Oxley Act was passed into law in 2002 after high-profile fraud cases such as Enron wiped trillions of dollars of household wealth. To this end, the Act imposes a number of provisions that companies must comply with. SOX covers a number of topics, including reporting and data security, among others.
The 2021 Verizon Data Breach Investigations Report shows that the acquisition of user credentials remains the top priority for malicious actors. While steps should be taken to tackle such risks at the root, having a secondary net in the form of 2FA can offer protection against misuse of credentials.
PCI DSS – Payment Card Industry Data Security Standard
Jurisdiction: Worldwide
Sector: Card payments, all
PCI DSS is a security standard mandated by a number of card companies for organizations that handle certain credit cards. The standard is quite vast and includes 12 requirements split into six groups. You can read more about these requirements in our article about WordPress PCI compliance for e-commerce & business sites.
In this regard, 2FA can help to meet requirement number 8, which deals with identification and authentication. While a strong password policy can help you achieve more robust authentication processes, 2FA takes this a step further by adding an additional layer of security.
HIPAA – Health Insurance Portability and Accountability Act
Jurisdiction: US
Sector: Healthcare
HIPAA is a US federal law that aims to protect the privacy and security of health information. To this end, the Secretary of US Health and Human Services publish what is commonly known as the Privacy Rule and the Security Rule.
When it comes to security, HIPAA stipulates several rules, including identifying and protecting against reasonably anticipated threats and managing access to information. With a recent Microsoft security bulletin showing that MFA can stop 99.9% of account attacks, implementing 2FA could easily offer you the best ROI when implementing measures to comply with HIPAA.
GDPR – General Data Protection Regulation
Jurisdiction: EU
Sector: All
GDPR, dubbed as the toughest privacy and security law globally, applies not only to all EU companies but also to anyone who collects data about EU citizens. This means that to operate within the EU market, websites need to be GDPR compliant.
The law is split into several principles, including an integrity and confidentiality principle that mandates adequate security and confidentiality. While the law does give data encryption as an example, introducing 2FA to your login process gives you extra peace of mind that best practices are being followed as far as access is concerned.
Should I implement 2FA on my WordPress website?
When it comes to securing your WordPress website, you should follow a 360-degree approach to ensure it’s as secure as it can be. With user account login information being the data type hackers seek the most, implementing 2FA can help you stop some 99.9% of attacks. With plugins such as WP 2FA making it super easy to implement two-factor authentication on your website, we can’t see a reason why anyone shouldn’t implement 2FA on their WordPress website.