In this tutorial we’ll be learning how to enable two-factor authentication for WordPress using a free plugin called Duo Two-Factor Authentication. Duo Security is an enterprise-level, renowned security service which is trusted by hundreds of companies like Sony, Microsoft, Accenture, Toyota and Yelp. It’s extremely secure and equally easy to use.
What is Two-Factor Authentication?
In very simple terms, two-factor authentication is an additional security measure intended to enhance the security of the site/product it safeguards. It consists of two distinct authentication stages:
- The account password
- A dynamically generated security code called a One Time Password (OTP)
Take Google accounts for example. With two-factor authentication enabled, when you sign in to your account from a new or previously unused IP address, the first barrier is your password. Next, Google will send an SMS or call your registered mobile number and send a 6 digit code. Only when you enter the code, you are granted access to your account.
Until you authorize your PC (in essence, a particular IP address) to be a known access point, you will always have to login using these two steps. Once you authorize an IP address, the 2nd confirmation code (OTP) won’t be necessary.
Advantages Of Two-Factor Authentication
As you can imagine, the benefits of two-factor authentication is invaluable in an insecure environment. Even if someone came to know your password, he won’t be able to gain access to your account. The 2nd authentication stage, i.e. the OTP would stop him. Check out this awesome explanation by Duo Security. However, in ridiculously rare cases, where the perpetrator has access to both your password and phone, then you’re done for.
Prerequisites
Enabling two-factor authentication requires the following devices to be with each account holder at all times.
- A mobile phone or a tablet. Preferably a smartphone, since international calls/texts require chargeable credits. Android, iOS and BlackBerry devices are the recommend smartphones.
- An active phone number (either this or a recommended smartphone with Internet access)
- A Duo Security account
Setting up the Duo Security Account
The first thing that you need to do is create a free Duo Security account. You must use your active phone number in order to register an account. The following steps show you how:
First off, select the Free Account option from the pricing page. Fill in the details carefully. For the phone number, make sure that your use the Country Code followed by a space, then the phone number.
Since I’m from India, my Country Code is +91. So I’ve entered +91 XXXXXYYYYY.
In Step 2, you can use a different company size. Since we’re using Duo Security to protect our WordPress site, we select CMS under ‘What do you want to protect?’ Rest of the settings is fine.
As soon as you register, Duo will send you an activation link. Open your inbox and click on that link. You’ll be redirected to a similar page:
- Under Phone Number make sure that you use the same one you’ve used in the first step of the Duo registration process.
- Once you’ve entered all the details, click on Submit.
- Wait a few seconds and click on either Text Me or Call Me.
- If you don’t receive a text (I didn’t) then try the call function.
- If it still doesn’t work, recheck the number and ensure that your cell has a signal.
Configuring the Duo Admin Panel
Once you’ve setup the Duo account you’ll automatically be redirected to the admin panel.
- If you’re picking up from here, login to your account and from the left menu, select Integrations > New Integration
- Under Integration Type select WordPress
- The Integration Name can be anything you want – we’ll use “My WP Site” in this tutorial
- Click on Create Integration
Connect Duo Security to your WordPress Site
We will now copy the secret keys and paste them in our WordPress site. This will establish a connection between our WordPress site and Duo Security.
To do this, go to WP Dashboard > Settings > Duo Two-Factor. The required settings are available in this page. Copy the keys from the Duo Security admin interface and paste it the respective fields. Hit Save Changes and the connection is established. Now two-factor authentication is enabled in your site. In next step, we will setup an authentication method.
Add an Authentication Method to Each WordPress User
In order to do this, you will first need to logout of the WP Dashboard and login again. Post login, you should see something like this:
This tells us that the user (in this tutorial, ‘john’) does not have an authentication method activated for Duo Security.
Authentication Methods offered by Duo Security
The available Authentication Methods available under a free account is as follows:
- Phone call (mobile or landline)
- SMS
- BlackBerry
- Android
- iOS
The Phone and SMS method requires retail credits. You have 1000 credits to begin with, which you’ll have to buy once they’re spent. The call/SMS credit charge depends on country which the phone number belongs to. For India, it’s 5 credits per call or SMS. I’ve tested both Phone and Android as Authentication Methods and found them to be working.
How to add an Android device to your Duo Security Account
Since most of us own a smartphone, I’ve created an in-depth tutorial for the Android Authentication Method. You can just as easily setup other devices, by following the on-screen instructions.
The main advantage of using an Android device as an authentication method (represented as Tablet), is the fact that you don’t need an active mobile carrier signal. A working Internet connection in the respective device is all that’s required. So we select Tablet under Choose Your Device
I’ve selected Android. If you own an iPad or iPhone, select iOS.
Now you need to install the respective mobile app. Check the confirmation box and hit Continue
Open the Duo Mobile app in your device and click on the Key icon. This will launch a barcode scanner.
Scan the barcode from the screen to transform your tablet/phone into a recognized authentication device.
This confirmation shows that the user ‘john’ has an Android device as a recognized or Enrolled Device in his account.
Logging in with Two-Factor Authentication
Everything is now setup. Keep your phone/tablet nearby and navigate stage one by entering your password. Now you’re at the Two-Factor Authentication junction.
You can select Duo Push or Passcode as a login method. If you’ve selected Duo Push, click on Log In. You should see a notification in your Android/iOS device.
Launch the Duo Mobile app and select Approve. You should immediately see something like this:
You have now successfully overcome the 2nd stage of the two-factor authentication process and can access the WP Dashboard. Congratulations! If you had selected Passcode as a login method, then you’ll find the passcode inside the Duo Mobile app. You will have to manually type it in and press Log In.
Sneak Peek at the Mobile Authentication Method
Remember I said that I tried the Mobile authentication method as well? Well, the on-screen instructions we detailed and easy to follow. This screenshot shows that a Mobile device is added under the user ‘sourav’
Remember this form of authentication will cost you credits. You can either use a Voice call or and SMS each time you login. I found the Voice Call feature to be most impressive. All I had to do was answer the call and press any button. That’s it – I was automatically logged in.
Conclusion
Enabling two-factor authentication is one of the best ways to prevent unauthorized access. It serves as an excellent security practice. Albeit it takes a bit more time to login to your WordPress site, but the extra work is rewarded with peace of mind.
There are other plugins in the market that help you setup two-factor authentication. The Security Pro plugin from iThemes is an excellent example. The plugin costs $80 for 2 sites and $150 for unlimited licenses. It is loaded with a buck load of awesome security measures when compared to its free counterpart – iThemes Security. I selected Duo Security since it is free for all to use.
So over to you – what do you think of this additional security measure? Is it like adding sugar to Coke? (the drink) Or is something as awesome as thick gravy on pasta?