Security Key for 2FA/MFA in WordPress

Security, nowadays, is no longer enough with a username and a password, whether it is more or less secure. A second authentication factor is now required.

While it is true that WordPress by default generates fairly secure keys, you can never know if later a user really ends up putting a secure or not secure, so we can force certain users to use a 2FA (second factor authentication) / MFA (multi-factor authentication) system.

Personally I am a big fan of the plugins that the WordPress Community itself makes, as a feature plugin, as it could be this, and that is that this functionality provided by the plugin should perhaps come by default in the WordPress core itself.

The Two-Factor plugin comes from a 2013 proposal, which materialized in 2018 with the creation of a repository within WordPress for its development.

The plugin creates a small tab in the user’s profile in which 4+1 methods can be configured:

  1. Email:
    If this system is activated, after entering the username and password, it sends you an email in which comes a (numeric) code that you will have to enter.
  2. Time-based one-time password (TOTP):
    You’ll need to set up an app that generates TOPT timecodes. The most common is to scan the QR code it offers and use a mobile application ( FreeOTP type -open source-).
    If this system is activated, after entering the username and password, it asks you for the numerical code generated by the application, which you will have to enter.
  3. FIDO U2F security keys:
    If you have a FIDO/U2F security key, which is a hardware item, you can include it in the list and when you access WordPress it will ask you to use it.
  4. Backup (single-use) verification codes:
    It’s always okay to generate these 10 unique codes and save them. They are one-time codes that allow access if the rest of the systems fail (for example, imagine that the email does not arrive, that you no longer have the App on your mobile or that you do not have the device at hand.
  5. Simulated method:
    This is a test method. It should only be used for testing and never in production.

Until now I was very much a fan of using, at least, a code by mail if your email already has a 2FA method, but as lately there are many hacks on mobile devices (which include mail access and 2FA applications) I have decided to go a step further and do tests with a physical device, which is apparently like a pendrive.

As it is my first device I have gone to the easy and cheap, which does not have validation by fingerprint as others have.

This device is a very small pendrive that includes a button / led. Once configured in the operating system, in the background it is a hardware that carries an internal key that is the one that validates that it is you.

Other devices that may be interesting for quality/price:

As a general rule, it is best to configure several options and leave one of them by default. In case you do not have the option to use that one, you can always use an alternative system.

Opciones de Two-Factor y Claves de Seguridad.

To register a new Security Key we have to click on the “Register a new key” button and the operating system will jump to put it. Once set, it usually asks to validate it (which in the case that I tell you, is to press the LED bulb that flashes) and once this, we can change the name of the device.

From here, when we access our WordPress it will ask us for the username and password, and then some of the second-factor authentication security systems available.

Definitely a next step in improving security for access to WordPress sites.


About this document

This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.