« //

2FA on WordPress

Perhaps there was a day when you left your front door unlocked because you could trust your neighbors… if so, that day has long since passed on the internet.

Passwords can be good, but even individuals who use strong passwords, and don’t reuse them generally don’t change them often enough…

And let’s get some terms straight here — a strong password is on the order of 20 plus characters (and the complexity really doesn’t matter much, because the only way to crack that type of password is a brute force attack — or social engineering).

Multi-factor authentication (MFA) is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something the user and only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is).


Two-factor authentication (also known as 2FA) is a type, or subset, of multi-factor authentication. It is a method of confirming users’ claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are.

Wikipedia – Multi-factor authentication

Something you know (a user id and a password).

Something you have (a security token, mobile device, bio-metric, etc)

Clearly the more “factors” you add to your authentication scheme the more secure it becomes (and the bigger hassle it is as well).

For WordPress my feeling is a good password combined with some type of token based authentication should be adequate for most any site.

The question is — what’s a good token?

Well, part of that will depend on the plug-in you decide to use on your WordPress site and what additional authentication schemes it supports.

Good authentication schemes are (in the order of my preference):

  • FIDO2 keys
  • FIDO keys
  • Token authentication (Google Authenticator, Microsoft Authenticator, Authy, Duo Mobile, FreeOTP Authenticator, LastPass Authenticator, Yubico Authenticator, etc)
  • SMS
  • Email

I highly recommend you choose an authentication plug-in which allows for multiple second factor authentication schemes and enable at least two different type (it’s also a good idea to choose one that would allow multiple FIDO2/FIDO keys to be registered). It’s much easier to access your site with a backup method than go through your hosting service and manually edit WordPress configuration files to temporarily disable the authentication requirements if you are unable to perform the authentication (like a lost cell phone or key).

Most of the WordPress plug-ins allow you to configure the authentication methods per user, and realistically only your administrative users need be required to have 2FA — for other users you could leave it as purely optional.

« //