About Two Factor Authentication (2FA)

Introduction to Two-Factor Authentication (2FA)

Two-Factor Authentication (2FA) adds an extra layer of security to your WordPress site by requiring users to verify their identity with an additional step during the login process. This is especially important for administrators and other users with privileged access to the site.

Even if an attacker obtains a user’s password, they would still need the second factor to gain access, such as a one-time password generated by an authenticator app or a verification code sent via email. Using 2FA is highly recommended for all Administrator users. For sites that allow users to save sensitive information such as payment details, 2FA is also highly recommended.

Really Simple SSL currently offers two 2FA methods:

• Email verification: A verification code is sent to the user’s email address.
  • Pros: easy to use, no need to install additional apps
  • Cons: if the user’s e-mail address is compromised, attackers could intercept the verification code
• TOTP/Authenticator app: Verification with time-based one-time passwords (TOTP) generated by authenticator apps like Google Authenticator.
  • Pros: improves security due to verification codes being generated on a separate device
  • Cons: installation of an authenticator app required, risk of losing access to the device with the authenticator app

Enabling Two-Factor Authentication (2FA) in Really Simple SSL

To enable the 2FA functionality on your site, navigate to SSL & Security -> Settings -> Login Protection and activate the “Enable Two-Factor Authentication” slider.

• In the “Enforce for” field, select all of the user roles (e.g. Administrator) that are required to use 2FA to log in.
• Proceed to the “Allow grace period” section and configure a grace period for users to set up their 2FA method. When the grace period ends, users that are required to log in using 2FA will no longer be able to log in without it.
  

Configuring available Two-Factor Authentication (2FA) methods

• Continue scrolling down the page and look for the Email Verification, Authenticator App (TOTP) settings blocks.
• In the “Enable for” section of each 2FA method, select which user roles are allowed to log in using that method.

Note: It is recommended to restrict Administrator users from using e-mail verification. Instead, we advise to require TOTP (authenticator app) for administrators, as this generates verification codes on a separate device.

Setting up Two-Factor Authentication (2FA) as a User

Which 2FA methods (e-mail/authenticator app) are available to a user depends on the methods that you have previously ‘Enabled for’ their user role.

If both 2FA methods are enabled for a user: they will be presented with the following screen upon logging in, allowing them to select their preferred 2FA method.

E-mail verification

If the E-mail verification method is selected, the user is prompted to enter a verification code sent via e-mail:

Authenticator App (TOTP)

If the Authenticator app (TOTP) method is selected, the user is prompted to configure their preferred authenticator app:

1. Download the back-up codes by clicking the Download Backup Codes link
2. Scan the QR code with your preferred authenticator app, or click “Copy the set-up key” to copy the key manually
3. Enter the verification code as generated by your authenticator app and click Submit

Switching between 2FA methods

You can change the current 2FA method configured on your account at any point in time.

• Navigate to under Users -> Profile in the left-hand WordPress Menu, and scroll down the Profile page until you reach the Two-Factor Authentication section.
• In the Selected provider section, click the Change link next to your current 2FA method

You will now be able to switch between the 2FA methods which had been enabled for your user role.

What to do if you’re locked out after enabling Two Factor Authentication (2FA)?

The Users block contains an overview of the current 2FA settings for all users, allowing administrator(s) to verify which 2FA method a user has selected and whether they have already finished the 2FA configuration. It includes the following information for each user:

• Username: The user’s WordPress username
• User Role: The role assigned to the user (e.g. Subscriber, Author, Administrator).
• Method: The current 2FA method configured for the user (e.g. E-mail, TOTP/Authenticator).
• Status: The current status of the user’s 2FA configuration (e.g. Active, Open, Disabled, Expired)

If a User is locked out due to 2FA

For example; a user may have lost access to their authenticator app, or the grace period for them to configure 2FA has expired:

• Click the Reset button to reset the 2FA status of the selected user(s) and trigger the onboarding process again, allowing them to reconfigure their 2FA settings.

If the Administrator is locked out due to 2FA

If the Administrator of the site is locked out, e.g. due to loss of their authenticator app/device, you may be unable to reach the aforementioned “Users” section to reset the 2FA status.

To disable 2FA in Really Simple SSL, a constant can be defined in your wp-config.php file. Add the following line to your wp-config.php file:

define( 'RSSSL_DISABLE_2FA', true );

This disables the 2FA checks on the login page, allowing you to log in again. After successfully logging in and resetting the account’s 2FA settings (in the “Users” section as described above), you can safely remove the line from your wp-config.php, and re-activate 2FA.