7 Best WordPress Two Factor Authentication Plugins: Secure Login
It’s easy to overlook the importance of using strong and secure passwords for your websites and applications. In an age of major data breaches, where checking if you’ve been pwned has become a necessity, nobody can profess that they’re exempt from potentially far-reaching security risks.
Most recently, one of the largest social platforms, Quota, was compromised by malicious hackers. The result? More than 100 million users had their personal information exposed. Names, emails, passwords (encrypted), and other sensitive information was accessed by a party outside of Quora.
This kind of an attack might seem like it has nothing to do with you personally, but if you’ve ever signed up with Quora, you’re exposed to the risks of having your other accounts compromised, too.
Other major breaches in recent times include Adobe, LinkedIn, and most recently, hackers found a way to exploit one of the most popular WordPress GDPR plugins.
This is where 2FA (Two-Factor Authentication) comes into play for WordPress. Unlike traditional password-protected pages, 2FA introduces a second layer of identity verification that can protect WordPress websites.
In this post, we showcase the seven best WordPress two factor authentication plugins to protect your site.
- WP 2FA
- Two Factor Authentication
- miniOrange 2FA
- Duo Two-Factor Authentication
What is WordPress Two Factor Authentication (2FA)?
Have you ever forgotten your password before on a site like Google or Amazon? When you tried to reset it, you were asked to double-verify your identity using a memorable phrase, or by having a pin code sent to your mobile phone. This is the basic implementation of two-factor verification.
Basic in the sense that you’re only required to verify your identity twofold after you’ve lost access to your account.
A more robust and secure approach is to ensure that every login attempt is protected by two-factor verification.
The most popular methods employed for two-factor authentication include external email addresses, using a mobile phone app like Google Authenticator or Authy to access a security code (TOTP or HOTP), hardware-based tokens (e.g. YubiKey) that use protocols like FIDO, SMS or phone calls, and memorable phrases in addition to the password.
Fortunately, there is an ample number of WordPress plugins available that provide two-factor authentication solutions. Some plugins user services like Google Authentication or Authy, while others implement completely different methods, such as email verification and custom push notifications.
Seven Best WordPress Two Factor Authentication Plugins
Two-Factor is a 100% free two-factor authentication plugin that comes from a number of well-known WordPress core contributors.
Beyond being free, its standout feature is that it supports a number of different authentication methods including:
- Email codes
- TOTP – works with any authenticator app such as Google Authenticator
- FIDO Universal 2nd Factor (U2F) – lets people use physical security keys such as YubiKey
- Backup codes
The main downsides of the plugin are as follows:
- While it’s great for securing your own account, it doesn’t offer as many options for enforcing two-factor authentication for different types of users on your site.
- It doesn’t offer any integrations for text-based authentication.
Overall, if you just want to secure your own WordPress account (plus maybe the accounts of a few contributors), this 100% free option is a great place to start.
2. WP 2FA
WP 2FA lets you set up two-factor authentication via a variety of methods, across its free and paid versions.
The free version supports any popular authenticator app – e.g. Google Authenticator or Authy. The paid version offers a more advanced Authy integration that supports two-factor via SMS, push notification, WhatsApp, and incoming call.
It also supports one-time backup codes in case users lose access to their method.
You can also set up customizable two-factor policies, which is one big area where it excels over the previous plugin. For example, you could force certain user roles to use two-factor while making it optional for others.
You can also access other useful features such as trusted devices, user onboarding with two-factor setup, and more.
There’s a functional free version at WordPress.org and the paid version starts at just $29.
Two Factor Authentication is a freemium plugin from the same developers of the popular UpdraftPlus backup plugin.
It supports the TOTP and HOTP methods, which lets you use any authenticator app such as Google Authenticator or Authy.
The premium version also adds emergency backup codes in case the user loses access to the device.
One of the areas where this plugin excels over the Two-Factor plugin above is when it comes to setting up policies and managing different types of users. Here are some examples:
- Enable/disable two factor for different user roles. For example, require it for Admins but not for Subscribers.
- Enable/disable two factor for specific user roles.
- Manage other users’ two-factor from your Admin account.
- Allow trusted devices so that users don’t need to verify the same device for a certain time period (e.g. 30 days).
It also has some other nice features, such as an option for users to manage two factor from the frontend.
However, it’s a bit limited in its two factor methods – there’s no option to use hardware keys, email, or SMS/phone calls.
There’s a functional free version at WordPress.org and the paid version starts at just ~$24.
miniOrange seamless authentication solutions to protect the exposure of sensitive data. The company’s WordPress plugin is built to provide easy integration with the Google Authenticator service. Nevertheless, you can use additional authentication methods such as scannable QR codes, push notifications, soft tokens, and security questions.
Upon activating the plugin, you can head over to the miniOrange Dashboard and begin configuring your preferred method of authentication verification. The intuitive interface design makes it easy to quickly select a solution that feels right for you.
It’s important to note that miniOrange requires you to install their mobile application if you wish to use more robust verification techniques like push notifications and QR codes.
The free version limits 2FA to one single user per site. Should you wish to enable 2FA for more than one user, you’ll have to consider a paid option. The advantage of using the premium version is that you can enable additional authentication methods. Specifically, SMS and Email verification.
If you operate a smaller blog and you’re the only active administrator, then the free version should be more than enough to provide adequate protection of your site’s security.
Duo is a sturdy “2FA as a Service” plugin to help safeguard your WordPress account security. The straightforward onboarding process takes only a few minutes to configure.
After you have finished configuring the plugin, another layer of security is added to your WordPress site.
As you can see above, after users log in using their default WordPress credentials, they will be asked to double-verify their identity using any of your chosen Duo authentication methods.
The full list of authentication methods provided by Duo includes:
- Single-tap login access using the Duo app, making it quick and easy way to prove your identity.
- Custom passcode generated from the application. Works in offline mode as well.
- A custom passcode sent to your phone number using SMS. Again, great for when you have no internet access.
- Simple callback to both landline and mobile phone numbers.
If you want to have peace of mind when it comes to your WordPress site’s security (in addition to having a backup), then Duo is one of the most user-friendly choices out there.
It’s a well-known fact that hackers are always trying new methods and techniques for breaking into sites. And if you manage sensitive information, there’s no excuse to avoid going the extra mile in order to ensure industry-level protection.
This is the premise of Rublon, an advanced and sophisticated two-factor authentication solution. You can configure numerous verification methods like getting a link sent to your email for confirmation. Rublon will save your device information and allow you to log in using only a password thereon.
Additionally, you can use the Rublon App to carry your site security with you wherever you go. Sign in using your default username/password, and verify your identity by scanning the QR code using your phone.
The best part is that you can install this plugin and forget about it. No strenuous learning curves or complex features, just simple 2FA security for WordPress sites.
SecSign provides a universal mobile-based 2FA authentication experience for WordPress sites. The plugin uses state of the art encryption methods to ensure brute-force protection.
Further, private keys generated by SecSign are never connected to an external server. Instead, keys are created directly by the mobile app and you are the only person to see them.
The core difference between this and other plugins in this roundup is that SecSign uses its personal ID platform: SecSign ID. This means that you won’t be using your WordPress credentials at all. Rather, you can use the SecSign Portal to generate unique ID names for each of your users.
As a result, you can take advantage of verification methods like fingerprint (for Apple users), and less intricate techniques like custom image selection.
Which Two-Factor Authentication Plugin Should You Use?
Picking the best WordPress two-factor authentication plugin really depends on two main things:
- The two-factor authentication methods that you want to use. E.g. physical FIDO keys vs TOTP smartphone apps.
- How much flexibility you need to enforce two-factor authentication on different types of users.
Of course, your budget might also come into play.
If you just want to protect your own WordPress account, the Two-Factor plugin is a great place to start because it supports a range of different methods and is easy to use.
- You want to enforce two-factor authentication for other users on your site, including maybe having different rules for different types of users. For example, you might require two-factor for Editor user roles but not for Subscriber user roles.
- You want to use SMS or phone calls as an authentication method.
WP 2FA can handle both of those things, which makes it a great all around option. Two Factor Authentication does a good job of setting up policies for different types of users, but it doesn’t support SMS or phone call as a two-factor method.
You can’t put a price on data safety. Exposure to attacks can damage your brand identity, lessen the trust that users have in your product or services, and cause headaches and lost time when your site is hacked. While 100% security can’t be guaranteed, two-factor authentication is one of the best techniques out there for preventing unauthorized site access.
The plugins we have explored in this post are incredibly quick to install, and painlessly simple to configure. Even if you don’t like the idea of using a mobile application, using your phone to verify access to your site, or having a unique code stored somewhere safe, is better than relying on a single password alone.
For more on security best practices, don’t miss 14 Ways to Secure Your WordPress Site – Step by Step and 10 Plugins to Step Up WordPress Security.