Really Simple Security offers two distinct approaches to Login Protection:
Two-Factor Authentication (2FA) adds an extra security layer by requiring users to verify their identity with a second step after entering their password. Even if an attacker obtains a password, they would still need this second factor to gain access.
- Email verification: A verification code is sent to the user’s email address.
- Pros: easy to use, no need to install additional apps
- Cons: if the user’s e-mail address is compromised, attackers could intercept the verification code
- TOTP/Authenticator app: Verification with time-based one-time passwords (TOTP), generated with authenticator apps like Google Authenticator.
- Pros: improved security due to verification codes being generated on a separate device
- Cons: installation of an authenticator app required, risk of losing access to the device with the authenticator app
Login Authentication (Passkey)Â takes a different approach: instead of remembering passwords, users can authenticate using their device’s built-in security features like fingerprint sensors or facial recognition.
- Passkey Login: Secure, password-less authentication using cryptographic credentials; unique to each user and device.
- Pros: significantly enhanced security with phishing resistance, no passwords to remember
Enabling Login Authentication and 2FA in Really Simple Security
To activate and manage Login Authentication/2FA functionality on your site, navigate to Security -> Settings -> Login Protection -> Login Authentication and activate the “Enable Two-Factor Authentication” slider.
- In the “Enforce secure authentication for” field, select all of the user roles (e.g. Administrator) that are required to use Login Authentication or 2FA to log in.
-
- To make secure authentication optional for certain user roles: do not add those user roles to the “Enforce secure authentication for” field
- Enable the slider next to “Allow secure log in with Passkeys” to allow secure, password-less authentication with Passkeys.
- In the “Allow grace period” field, configure the number of days that users have to set up their preferred authentication method.
-
- Note: After the grace period expires, users in enforced roles who haven’t configured an authentication method will be unable to log in. Their status must be reset by an Administrator to restart their Grace Period.
Configuring available Login Authentication methods
With the “Enable Two-Factor Authentication” slider activated in the main section, you’ll find separate settings sections for each Login Authentication method.
Email Verification (2FA):
- In the “Enable Email Authentication for” field, select which user roles can use email verification as their 2FA method.
- Note: Email verification is not recommended for Administrator accounts, due to the possibility of the Administrator’s email account being compromised.
Authenticator App/TOTP (2FA):
- In the “Enable TOTP Authentication for” field, select which user roles can use TOTP authentication.
- Recommendation: Enforce TOTP or Passkey Login for Administrators as it provides stronger security by generating verification codes on a separate physical device.
Passkey Login (Login Authentication):
- The “Allow secure log in with Passkeys” slider (in the main settings section) fully enables this authentication method, no further settings are required.
- Passkeys provide the highest level of security and are recommended for all user roles.
Setting up Login Authentication/2FA as a User
Which Login Authentication methods (E-mail/TOTP/Passkey Login) are available to a user, depends on the methods that you had previously enabled for their user role.
If all Login Authentication methods are available for a certain user role, the user will be presented with the following screen upon logging in, allowing them to select their preferred method:
E-mail verification
If the E-mail verification method is selected, the user is prompted to enter a verification code sent via e-mail:
Authenticator App (TOTP)
If the Authenticator app (TOTP) method is selected, the user is prompted to configure their preferred authenticator app:
- Download the back-up codes by clicking the Download Backup Codes link
- Scan the QR code with your preferred authenticator app, or click “Copy the set-up key” to copy the key manually
- Enter the verification code as generated by your authenticator app and click Submit
Passkey
If the Passkey method is selected, the user will see a Passkey configuration screen with instructions to configure the passkey.
- A system prompt from the browser or operating system will appear, asking to create a passkey (as shown in the below example on MacOS with “Use Touch ID to sign in”).
- Follow the on-screen instructions to authenticate using their device’s built-in authentication method (e.g., Touch ID, or other biometric/security key options).
Once the setup is complete, the passkey will be created and stored securely in the user’s device’s password manager. The user can now use their passkey for future logins; without the need to enter a password.
Switching between Login Authentication and 2FA methods
Users can change their currently configured Login Authentication and 2FA method at any point in time.
- Navigate to under Users -> Profile in the left-hand WordPress Menu, and scroll down the Profile page until you reach the Login Authentication section.
- The “Selected provider” section allows you to switch between all Login Authentication methods that are ‘allowed’ for your user role.
Resetting the Login Authentication/2FA status of Users
The Users section contains an overview of the current Login Authentication settings for each registered user on the site, allowing administrator(s) to verify which method a user has selected and whether they have already completed the configuration.
This section includes the following information for each user:
- Username: The user’s WordPress username
- User Role: The role assigned to the user (e.g. Subscriber, Author, Administrator).
- Method: The currently configured 2FA method ofr the user (e.g. E-mail, TOTP, Passkey).
- Status: The current status of the user’s 2FA configuration (e.g. Active, Open, Disabled, Expired)
- Active: 2FA is enabled, and the user has configured a 2FA method.
- Click Reset to remove their current 2FA method, allowing the user to re-configure 2FA on their next login attempt.
- Active: 2FA is enabled, and the user has configured a 2FA method.
-
- Open: 2FA is enabled, but a 2FA method has not been configured by the user. The user will be prompted to configure 2FA on their next login attempt.
- The Reset button is not applicable in this case.
- Open: 2FA is enabled, but a 2FA method has not been configured by the user. The user will be prompted to configure 2FA on their next login attempt.
-
- Disabled: 2FA is enabled, but it is optional, and the user has not configured 2FA.
- Click Reset to allow the user to configure 2FA on their next login attempt.
- Disabled: 2FA is enabled, but it is optional, and the user has not configured 2FA.
-
- Expired: 2FA is enabled & required for the user, but the user has configured 2FA within the grace period; and their account is locked.
- Click Reset to unlock the account & restart the Grace Period, allowing the user to configure 2FA on their next login attempt.
- Expired: 2FA is enabled & required for the user, but the user has configured 2FA within the grace period; and their account is locked.
What to do if you’re locked out after enabling Login Authentication/2FA?
If a User is locked out due to Login Authentication/2FA
For example; a user may have lost access to their authenticator app, or the grace period to configure 2FA has expired:
- Click the Reset button to reset the 2FA status of the selected user(s) and trigger the onboarding process again, allowing them to reconfigure their Login Authentication/2FA settings.
If the Administrator is locked out due to Login Authentication/2FA
If the Administrator of the site is locked out, they might be unable to reach the aforementioned “Users” section in the plugin’s settings to reset the account’s 2FA status here.
To disable Login Authentication in Really Simple Security and regain access to the site:
- Create an empty file in the /wp-content/Â folder of your website, and call it
rsssl-safe-mode.lock
. - The Login Authentication and 2FA requirements from Really Simple Security will be disabled as long as this file is present.
This file disables the Login Authentication and 2FA checks on the login page, allowing you to log in once more.
After successfully logging in and resetting the Login Authentication settings for your Account (Login Protection -> Login Authentication -> Users -> Reset), you can safely remove the .lock file from the /wp-content/ directory to re-enable the feature.