What is Google 2-Step Verification and Why You Should Use It
One of the easiest ways that hackers can get access to your WordPress website is by using your login. Why is this? Most users use a 1-step login. The typical 1-step login process allows a user to enter a user name and password in order to enter the site. Anyone that has, or can guess, the user name and password can log in. User names are easy to find and passwords can be guessed and phished. Once someone gets your login credentials they have the same access that you do.
Hackers can get your passwords in several ways:
- If you use the same password on multiple sites
- If you click on suspicious links within email messages
- If you run software from the Internet that contains code to capture your passwords
To help improve security many sites add a CAPTCHA (for robots) or limit the login attempts (for brute force attacks). This does help, but there’s one problem: they don’t keep hackers from getting your password, and all that’s all they need. That’s the advantage of 2-Step Verification (also commonly known as 2-factor authentication) - it makes logging in a 2 step process.
The 2-Step Process
First, you would enter your user name and password as normal. However, instead instantly having access to the site, you then receive a code to enter as a second step of verification. This code usually comes to you as a text on your smartphone.
This adds an extra layer of protection to your login. If they figure out your username and password they still have to have the authentication code or they cannot access your website.
There are several companies that provide a 2-Step verification service. I want to discuss Google.
Google 2-Step Verification
Google 2-Step Verification is a popular free authentication service and it has a lot of benefits. You receive the code your phone as either a text, voice, or by using an app. The code is created specifically for your account and only when you need it. The code can only be used one time.
For improved security you can use a USB security key. The security key provides better protection against phishing because you don’t actually see the code. Also you don’t have to type the code in, saving you time and the headache of mistyping something. The security key is recommended unless you’re using a mobile device to access your website or you’re not using Google Chrome. Even when you have a security key you still have the option of using a code. The key uses an open standard called “FIDO Universal 2nd Factor (U2F)”. They can be purchased on Amazon. Prices start at $6.
If you travel outside of an area that doesn’t have phone service you can still use the 2-Step authentication with either the USB security key or downloading and printing a one-time use list of backup codes. The authentication process even works without an Internet connection.
If you sign in on the same computer then you’ll only have to use 2-Step verification if you sign out and then back in. If anyone uses your login on another computer they’ll have to use 2-Step verification.
You can provide backup phone numbers so you can receive your code if your primary phone is not available.
The reason this works so well is it requires the person logging in to have something that only you have: either your phone or your USB security key.
Implementing 2-Step Verification
In order to implement Google 2-Step Verification you need the app on your phone and a plugin installed on your WordPress website. The app is available from Google for Android, iOS, and Blackberry devices. Running it on WordPress requires a third-party plugin. There are several good plugins to implement it and they have a range of features. Here’s a quick look at a few of them.
Google Authenticator for WordPress
Google Authenticator for WordPress is a free plugin that allows you to set the 2-Step authentication process based on each individual user. You can limit the number of logins that are allowed without setting it up and set a reminder on the dashboard. It allows for clock discrepancies. Admins can reset the counter if users are locked out. It stores old passwords in a database and compares them so they can’t be reused. It will generate a QR code using Google Charts API and HTTPS.
Two-Factor Authentication (Google Authenticator)
Two-Factor Authentication from miniOrange adds more levels of security and more authentication options. You can enable 2-Step verification based on the user’s role. If you don’t have access to your phone you can get the code via email by answering security questions or from a one-time passcode. It supports Soft Token, QR Codes, and push notification.
It supports several apps including:
- Google Authenticator
- Authy 2-Factor Authentication
- miniOrange Authenticator
This plugin supports multiple authentication methods, device identification, custom login pages, special security questions for mobile browsers, and more.
The premium version adds user management, inline registration, phone verification, voice verification, OTP over SMS, custom redirect after login, customized login screens, custom email and SMS templates, and more. It will also remember the device. The premium version starts at $1 per user per year.
Two Factor Authentication
Two Factor Authentication supports multiple protocols including Google. It will display the code as a QR code so you can scan it with your smartphone or tablet. It provides authentication based on the user’s role that you set. It’s multisite compatible. The premium version adds shortcodes for the dashboard with custom designing, emergency codes, require 2-factor authentication after a certain period of time, admin access to turn off/on codes as needed, and more. The premium version starts at $22.49.
2-Step verification is a simple and effective way to protect your WordPress account. The reason this works so well is it requires the person logging in to have something that only you have: either your phone or your USB security key. Using the various plugins you can choose which features work best for you. The security key makes it even easier to use and is especially helpful for those times when you don’t have phone access. With a login system this painless it’s easy to see why Google 2-Step Verification is a highly recommended method of improving your website’s security.
Your turn. Do you use Google 2-Step Verification? Have you had any issues with it? Do you prefer the codes on your phone or the USB security key? Do you prefer another provider? Let us know about your experience in the comments below.
February 18, 2016 at 4:44 pm
How does this work if you have a web designer or person that helps with coding on your site? How do you both get the 2-step when someone you trust needs to work on your site?
Fix My WP
February 18, 2016 at 11:28 pm
Hello Cathryn. Each user can follow the 2 Factor Authentication from within their profile page, then setup their code and they are good to go.
February 19, 2016 at 7:01 am
Thank you, I appreciate that and will follow through with the 2-step authentication.
April 16, 2016 at 10:40 am
I saw this https://wordpress.org/plugins/wordpress-2-step-verification/ what’s different? There is app password and i dont know how to use
Fix My WP
April 18, 2016 at 12:02 am
WordPress 2-Step Verification is another way of adding 2 step verification for your site.
July 13, 2016 at 6:35 am
Hi, I hope you can help, I have the two step authentication thingy. I go through the process and then I am supposed to receive a code via text message, but it never, ever comes. this has been a problem since before forever. Do you have any idea how I can get help with this??
Fix My WP
July 13, 2016 at 6:57 pm
I assume you mean that the first step, registering the Google app with your phone fails. If so did you try using the Voice Call option?
July 13, 2016 at 6:59 pm
Hi Nana. The first thing I would try is to have the code sent to a different phone. This will help narrow down the cause of the problem.
April 12, 2017 at 2:09 pm
Do you have implementation code for Google 2-Step Verification ?
i want to implement Google 2-Step Verification in my website.
any idea how can i implement this ?
April 18, 2017 at 11:46 pm
Didn’t you follow the guide found in this post?