Log out
Get PRO

About Two Factor Authentication (2FA)

Introduction to Two-Factor Authentication (2FA)

Two-Factor Authentication (2FA) adds an extra layer of security to your WordPress site by requiring users to verify their identity with an additional step during the login process. This is especially important for administrators and other users with privileged access to the site.

Even if an attacker obtains a user’s password, they would still need the second factor to gain access, such as a one-time password generated by an authenticator app or a verification code sent via email. Using 2FA is highly recommended for all Administrator users. For sites that allow users to save sensitive information such as payment details, 2FA is also highly recommended.

Really Simple SSL currently offers two 2FA methods:

  • Email verification: A verification code is sent to the user’s email address.
    • Pros: easy to use, no need to install additional apps
    • Cons: if the user’s e-mail address is compromised, attackers could intercept the verification code
  • TOTP/Authenticator app: Verification with time-based one-time passwords (TOTP) generated by authenticator apps like Google Authenticator.
    • Pros: improves security due to verification codes being generated on a separate device
    • Cons: installation of an authenticator app required, risk of losing access to the device with the authenticator app

Enabling Two-Factor Authentication (2FA) in Really Simple Security

To enable the 2FA functionality on your site, navigate to SSL & Security -> Settings -> Login Protection and activate the “Enable Two-Factor Authentication” slider.

  • In the “Enforce for” field, select all of the user roles (e.g. Administrator) that are required to use 2FA to log in.
  • Proceed to the “Allow grace period” section and configure a grace period for users to set up their 2FA method. When the grace period ends, users that are required to log in using 2FA will no longer be able to log in without it.
    Really Simple Security - Enable Two-Factor Authentication

Configuring available Two-Factor Authentication (2FA) methods

  • Continue scrolling down the page and look for the Email Verification, Authenticator App (TOTP) settings blocks.
  • In the “Enable for” section of each 2FA method, select which user roles are allowed to log in using that method.

Note: It is recommended to restrict Administrator users from using e-mail verification. Instead, we advise to require TOTP (authenticator app) for administrators, as this generates verification codes on a separate device.

Really Simple Security - 2FA, E-mail verification method

Really Simple Security - 2FA, Authenticator app (TOTP)

Setting up Two-Factor Authentication (2FA) as a User

Which 2FA methods (e-mail/authenticator app) are available to a user depends on the methods that you have previously ‘Enabled for’ their user role.

If both 2FA methods are enabled for a user: they will be presented with the following screen upon logging in, allowing them to select their preferred 2FA method.

Really Simple Security - 2FA Configuration (TOTP + E-mail)

E-mail verification

If the E-mail verification method is selected, the user is prompted to enter a verification code sent via e-mail:

Really Simple Security - 2FA E-mail Verification Code

Authenticator App (TOTP)

If the Authenticator app (TOTP) method is selected, the user is prompted to configure their preferred authenticator app:

  1. Download the back-up codes by clicking the Download Backup Codes link
  2. Scan the QR code with your preferred authenticator app, or click “Copy the set-up key” to copy the key manually
  3. Enter the verification code as generated by your authenticator app and click Submit

Really Simple Security - 2FA TOTP / Authenticator App Configuration

Switching between 2FA methods

You can change the current 2FA method configured on your account at any point in time.

  • Navigate to under Users -> Profile in the left-hand WordPress Menu, and scroll down the Profile page until you reach the Two-Factor Authentication section.
  • In the Selected provider section, click the Change link next to your current 2FA method

Really Simple Security - Change 2FA method in Profile

You will now be able to switch between the 2FA methods which had been enabled for your user role.

Really Simple Security - Changing 2FA Method in Profile

Managing User 2FA status

The Users block contains an overview of the current 2FA settings for all users, allowing administrator(s) to verify which 2FA method a user has selected and whether they have already finished the 2FA configuration. It includes the following information for each user:

  • Username: The user’s WordPress username
  • User Role: The role assigned to the user (e.g. Subscriber, Author, Administrator).
  • Method: The current 2FA method configured for the user (e.g. E-mail, TOTP/Authenticator).
  • Status: The current status of the user’s 2FA configuration (e.g. Active, Open, Disabled, Expired)
    • Active: 2FA is enabled for the user, and the user has configured a 2FA method.
      • Click Reset to remove their current 2FA settings, allowing the user to re-configure 2FA on their next login attempt.
    • Open: 2FA is enabled for the user, but a 2FA method has not been configured by the user. The user will be prompted to configure 2FA on their next login attempt.
      • The Reset button is not applicable in this case.
    • Disabled: 2FA is enabled for the user, but it is optional, and the user has not configured a 2FA method.
      • Click Reset to allow the user to configure 2FA on their next login attempt.
    • Expired: 2FA is enabled & required for the user, but the user did not configure 2FA within the grace period; so their account is locked.
      • Click Reset to restart their Grace Period, allowing the user to configure 2FA on their next login attempt.

Really Simple Security - 2FA users and status overview

What to do if you’re locked out after enabling Two Factor Authentication (2FA)?

If a User is locked out due to 2FA

For example; a user may have lost access to their authenticator app, or the grace period for them to configure 2FA has expired:

  • Click the Reset button to reset the 2FA status of the selected user(s) and trigger the onboarding process again, allowing them to reconfigure their 2FA settings.

If the Administrator is locked out due to 2FA

If the Administrator of the site is locked out, e.g. due to loss of their authenticator app/device, you may be unable to reach the aforementioned “Users” section to reset the 2FA status.

For example: You lost access to your phone with the TOTP (Authenticator) app, or 2FA is required for your Account and the Grace Period to configure 2FA has expired.

To disable 2FA in Really Simple Security and regain access to the site:

  • Create an empty file in the /wp-content/ folder of your website, and call it rsssl-safe-mode.lock.
  • The 2FA checks from Really Simple Security will be disabled as long as the file is present.

Really Simple Security - Disabling 2FA, debug instructions rsssl-safe-mode.lock file

This disables the 2FA checks on the login page, allowing you to log in again. After successfully logging in and resetting the 2FA settings for your Account (Login Protection -> Two-Factor Authentication -> Users -> Reset), you can safely remove the .lock file from the /wp-content/ directory to re-activate 2FA.

  • Go Pro
Simple and Performant Security.
Easily improve site security with WordPress Hardening, Two-Factor Authentication (2FA), Login Protection, Vulnerability Detection and SSL certificate generation.
Get Secure

Join our mailing list - 6 Tips & Tricks in your inbox over the next days!

Plugins

© Really Simple Plugins
CoC 70461155
Kalmarweg 14-5
9723 JG, Groningen (NL)

Wordpress Linkedin Github

Get Started

About

Popular articles