What is two-factor authentication
Two-factor authentication, also known as 2FA for short, is a subset of MFA (multi-factor authentication). It uses exactly two independent factors to authenticate a user. In addition to using their username and password, users trying to authenticate need to verify their identity through another factor, increasing the overall level of security and reliability of the authentication process.
Why is two-factor authentication important on a WordPress website?
Two-factor authentication is fast becoming a security standard employed by many organizations and industries. A Microsoft study has shown that it is able to stop 99.999% of attacks, making it a highly efficient and feasible security measure that can very easily be added to just about any WordPress website.
Due to its many benefits, 2FA has seen a surge in uptake – from online banking to WordPress websites. It also helps websites, companies, and entities comply with industry standards and requirements.
How two-factor authentication works
Two-factor authentication extends the WordPress authentication process by adding another factor through which users must authenticate before they can log on to WordPress. One of the most common secondary authentication factors is the OTP – One Time Password.
As the name suggests, a One Time Password is a password that can only be used once. There are several mechanisms through which this one-time password is delivered to the user, including authenticator apps and email. Once the user has successfully completed the first part of the authentication process – successfully entering their username and password, they will need to enter their OTP before being allowed in.
There are two types of OTPs available – TOTP and HOTP. TOTP uses a time-based counter, with passwords expiring every 30 seconds. This makes TOTP the more secure of the two. The other implementation of OTP is called HOTP. HOTP uses an HMAC-based counter, with passwords only expiring once they are used.
When using an app for their OTP, users are given a QR code, which effectively ties their phone to their WordPress account. As such, whenever a user wants to login to WordPress, they need to make sure they have their phone at hand.
How to manage two-factor authentication
WordPress does not include 2FA out of the box and as such, this functionality needs to be added via a 3rd party plugin such as WP 2FA, the #1 user-rated two-factor authentication (2FA) plugin for WordPress.
WP 2FA makes it very easy to implement two-factor authentication on your WordPress website as part of your WordPress website security hardening. It offers many configuration options, allowing WordPress administrators to implement 2FA without breaking any existing policies.