Two-factor authentication – do it now.

The online world has become too dangerous for us to keep protecting ourselves with no more than a username and a password. Especially when most of us choose stupidly simple passwords. Even if you choose a good one – upper and lower case, special characters, letters and numbers – you now need such a long one that no human can remember it. Tools like LastPass are great, but only if you also use ridiculously long passwords. Pretty much the best protection you can give yourself is a simple thing called two factor authentication. It’s simple, it’s free, and it’s very effective.

What is two-factor authentication?

2FA to its friends, two-factor authentication is based on the idea that your access to something should be controlled by more than one thing. Not just what you know (a password) but also something you have, a “second factor”. Most banks, for example, will give you a “security token” if you ask for one. Once this has been activated, logging in to do Internet banking requires not only your username and password as before, but also the number shown on the token. If you don’t have the password and the code from the token (two “factors”), you can’t log in.

The “security token” can take many forms. The banks generally issue key-fob units with a button; press the button and the fob displays the current factor. There are credit-card style units that do the same thing, but in a thin flat card that fits in your wallet or purse. There are also “virtual” devices – software that runs on your phone or tablet, generating codes on request. The generated codes are six-digit numbers.

How does it work?

Whatever the physical form, the commonest type of 2FA device uses the TOTP protocol (Time-based One Time Password). A secret key is configured into the device and is also known to your bank (or Google or AWS, or whomever). Both sides keep accurate time. Both sides use the secret plus the current time to generate a second factor. Then the bank (or Google, or AWS, or whoever) requires your username, your password and this second factor before it lets you in.

A hardware TOTP generator is the safest, but the convenience of a smartphone app is hard to beat. Your smartphone becomes the “token”, with the advantage that you can use it for many different services. You can download an app for your phone or tablet that will generate the codes for you on demand. Software is available for most operating systems, and certainly for Linux, Max, Windows, Android and iOS. Use the software recommended by the service provider; they may even have their own app for you to use. Otherwise, look for:

  • WinAuth for Windows
  • oathtool for Linux and Mac
  • Google Authenticator for Android and iPhone
  • … or search for “TOTP generator” online.

Securing WordPress with 2FA

By way of a practical example, here is how to turn on 2FA for your WordPress blog. It’s easy – do it today!

  • log in to your WordPress blog as an administrator
  • using Plugins -> Add New, locate and install the imaginatively-named “Two Factor Authentication” plugin
  • download a suitable app or program to generate TOTP codes (see above). I installed oathtool on Ubuntu (sudo apt-get install oathtool) and Google Authenticator on my smartphone.
  • activate the plugin in WordPress
  • under “Plugins -> Installed Plugins -> Two Factor Authentication -> Plugin settings”
    • select “Do require 2FA over XMLRPC”, then click “Save changes”
    • select “TOTP”
    • click “Save changes”
  • under “Plugins -> Installed Plugins -> Two Factor Authentication -> User settings”
    • scroll all the way down to “Advanced settings”
    • check “TOTP”
    • click “Save changes”
  • scroll up a bit until you see your private key. The plugin provides two keys – save both, but use the longer one. Copy and paste them to somewhere safe, and reveal them to no-one else. I put them in an encrypted password wallet. Do NOT store your private keys in the same place as your passwords.
  • configure the longest private key into your TOTP generator. If you are using a smartphone, the app will probably have a feature that lets you enter the key by scanning the QR code that the plugin displays; that’s by far the easiest method.
  • Test your TOTP generator! Scroll up a bit more in the plugin settings page and you will see Two Factor Authentication’s current code. Use your TOTP generator to give you a code, then click “update” beside the current code. The code from your generator and the code from the plugin – should be the same. If they are not, wait thirty seconds and try again. If the codes still do not agree, try the shorter private key. Do not enable 2FA until the two codes agree.
  • Once the two codes agree, scroll up to the top of the user settings screen in the plugin, and enable 2FA. That’s it!

The next time you log in to your WordPress blog, after giving your username and password, you will be asked for your second factor. Run your TOTP generator, and enter the code it provides, and you will be logged in.

What if I lose my private key?

If you delete your private keys, uninstall the software you are using, lose your phone or in any other way lose the ability to generate new codes, you will not be able to log in to your WordPress site any more. That’s why you should store the private keys in a safe place – so that you can get a new device, reinstall your software or whatever, and simply configure the same private key into it.

If you didn’t save the private keys, or have lost them, or if for any reason you cannot get back into your WordPress site, check the Two Factor Authentication plugin FAQ on their website. It explains how, provided you still have access to the WordPress install, you can recover the situation.

What is someone else gets my key?

If someone steals your private key, they still won’t have access to your WordPress site – not unless they got your password as well. That’s the point of 2FA. And similarly, if they manage to steal or guess your password, it won’t help them without your private key. Hopefully it is obvious that storing your private key with your password is a very bad idea.

If you lose your phone or otherwise suspect that someone has obtained your private key, the first thing you should do is change your WordPress login password, just in case. Then go into “Plugins -> Installed Plugins -> Two Factor Authentication -> User settings”, scroll down to the private keys, and click the “Reset private keys” link. The plugin will generate new keys. Put the new keys into your TOTP generator, test again to make sure everything works, and you will be good to go again.

The Two Factor Authentication plugin is good, effective and free, but there are other 2FA plugins for WordPress, and you should feel free to try them out. The main thing is to test that everything works before logging out after enabling 2FA.


Leave a Reply

Your email address will not be published. Required fields are marked *