Home Blog WordPress Security Using the Google Authenticator app for WordPress 2FA

Using the Google Authenticator app for WordPress 2FA

Using the Google Authenticator app for WordPress 2FA

Whenever you implement a security measure, you should also have some sort of fallback. You do not want to be compromised by the failure of a single component. This is known as defense in depth.

When you manage a WordPress website, one of the most important aspects of security is authentication, a.k.a. how you login to your website. There are several ways how to harden the authentication to improve the defence in depth of your WordPress login mechanism. One of them is to implement two-factor authentication (2FA).

Improving defense in depth with two-factor authentication

2FA uses two factors to login. These factors are often grouped into a number of labels. They are something:

  • you know, like a password
  • you have, like a key or physical token
  • you are (biometrics, e.g. your fingerprint)
  • you do like a swipe pattern password on a phone
  • somewhere you are like, GPS-based authentication.

Note that 2FA is not as simple as just using any 2 things for authentication. For example, if you use 2 passwords to login, that doesn’t qualify as 2FA. Both fall into the same category of “something you know”.

For more detailed information on how 2FA works refer to how two-factor authentication works on WordPress. In this article we’ll assume that you know what 2FA is, so we can show you how Google Authenticator works. We will also explain how with a two-factor authentication plugin and the Google Authenticator app you can easily setup 2FA on your WordPress website.

NOTE: The WP 2FA plugin for WordPress also supports Authy, FreeOTP and several other 2FA apps. So if you do not want to use Google Authenticator for WordPress 2FA, refer to the list of supported 2FA apps.

The Google Authenticator app: a crash course

Google Authenticator is an app built by Google. In 2FA it acts as something you have. This provides the second factor to the password (the something you know) you use to login to your website.

google authenticator

It does so by using TOTP (Time-based One Time Password). TOTP is a variant of the HOTP (HMAC-based One Time Password) algorithm. Without getting too far into the weeds, HOTP varies from TOTP:  in HOTP a password will never expire until used, while a TOTP code or password expires within a certain time frame.

In Google Authenticator the generated passwords lasts about 30 seconds. When you type in the correct password and the one-time code provided by the app you successfully login to your website.

How does your website know it is the correct one-time code?

Both the Google Authentication app and the website start off with a common seed or secret. This secret can be either a string of characters you type in, or an input from your camera, for example by scanning a QR code. From there, the website’s 2FA mechanism and the Google Authenticator app on your phone are in sync with one another.

Therefore to achieve 2FA with Google Authenticator, you must couple it with another factor, typically a password.

IMPORTANT: With 2FA you still need strong passwords

Just because you enable 2FA on your website, it doesn’t mean you can brush off the other factor. Using the Google Authenticator app with a strong password makes it an effective 2FA solution. With a weak password, the 2nd factor becomes moot, essentially reducing you to one factor. If the one-time code is somehow compromised, or someone uses it within its 30 second window, the second factor can protect you.

How to setup the Google Authenticator app for your WordPress 2FA

First install the Google Authenticator app on your smart device and the two-factor authentication plugin on your WordPress website. The app is available on both Google Play and the Apple Appstore.

As for the plugin, install the WP 2FA, an easy to use two-factor authentication plugin for WordPress. This plugin supports the following 2FA methods:

  • Email codes (one-time code is sent over email)
  • TOTP (one-time code from Google authenticator app)
  • Backup codes

Setting up 2FA on your WordPress with the WP 2FA plugin

Once you install and activate the WordPress plugin WP 2FA, you are presented a wizard that helps you setup two-factor authentication.

From here, select the 1st factor method One-time code generated with the Google Authenticator app. Click Next and follow the instructions. Bascially, all you need to do is launch the Google Authenticator app on your phone. Then tap the add new website icon (the red circle with a white cross), and select Scan a barcode to scan the QR code you are presented with.

Once you scan the QR Code you will be asked to enter the one-time code for the first time. That is it. Now you have 2FA on your WordPress website and can generate one-time codes with the Google Authenticator app. However, don’t forget to generate some 2FA backup codes.

Why do you need the 2FA backup codes?

It’s always  good idea to select a secondary option here, otherwise if you ever loose access to your Google Authenticator app, your phone etc you will get locked out of your website.

You can setup email 2FA as backup. However, we recommend generating a list of backup codes, printing it, and storing it in a safe place. You can use one of the backup codes to login to your website in case you cannot get a one-time code from the Google Authenticator app. You can generate the backup codes through the wizard. If you did not:

  1. navigate to your user profile page,
  2. scroll down to the WP 2FA settings,
  3. click on Generate backup codes,
  4. once the codes are generated download or print the codes.

Logging in to WordPress with 2-factor authentication

That is it! The next time you need to login to your WordPress, after typing in the credentials (always use strong passwords!) you will be asked for a one time code. Simply launch the Google Authenticator app and type in the code.


Leave a Reply

Your email address will not be published. Required fields are marked *

Stay in the loop

Subscribe to the Melapress newsletter and receive curated WordPress management and security tips and content.

Newsletter icon

It’s free and you can unsubscribe whenever you want. Check our blog for a taste.

Envelope icon

The survey results are in: Find out what your WordPress security gameplan might be missing

Close

The survey results are in: Find out what your WordPress security gameplan might be missing

Uploading Melapress Login Security as a zip file in WordPress
Melapress Login Security in the WordPress plugin repository
Close

Installing Melapress Login Security Free

Congratulations on taking control of your WordPress website's security by implementing robust login and password policies with Melapress Login Security. You can change your login page URL, limit failed login attempts, and reset passwords.

 

Below are two ways to install Melapress Login Security on your website:

Go to your plugin dashboard on your site, then go to "Add New" and then search for Melapress Login Security.

Download the Melapress Login Security plugin zip, then select upload in your plugin dashboard under "Add New".

OPTION 1

OPTION 2

Uploading CAPTCHA 4WP as a zip file in WordPress
CAPTCHA 4WP in the WordPress plugin repository
Close

Installing CAPTCHA 4WP Free

Well done you. You're one step closer to safeguarding your WordPress website from spam and automated attacks with CAPTCHA 4WP. You'll be able to effortlessly integrate CAPTCHA into your forms and enjoy a website with enhanced security.

 

Below are two ways to install CAPTCHA 4WP on your website:

Go to your plugin dashboard on your site, then go to "Add New", and then search for CAPTCHA 4WP.

Download the CAPTCHA 4WP plugin zip, then select upload in your plugin dashboard under "Add New".

OPTION 1

OPTION 2

Uploading WP Activity Log as a zip file in WordPress
WP Activity Log in the WordPress plugin repository
Close

Installing WP Activity Log Free on your website

You deserve a pat on the back for choosing to record user actions and changes on your website. That is the first step towards better user accountability, easier troubleshooting of website security, and many other benefits of issues.

 

Below are the two ways to install WP Activity Log on your website:

Go to your plugin dashboard on your site, then go to "Add New" and then search for WP Activity Log.

Download the WP Activity Log plugin zip, then select upload in your plugin dashboard under "Add New".

OPTION 1

OPTION 2

Uploading WP 2FA as a zip file in WordPress
WP 2FA in the WordPress plugin repository
Close

Installing WP 2FA Free

Congratulations on taking the first step towards enhancing your WordPress site's security with WP 2FA Free! You're now on your way to protecting your valuable data and ensuring peace of mind. No coding or technical knowledge is required.

 

Below are two ways to install WP 2FA on your website:

Go to your plugin dashboard on your site, then go to "Add New", and then search for WP 2FA.

Download the WP 2FA plugin zip, then select upload in your plugin dashboard under "Add New".

OPTION 1

OPTION 2