About Login Authentication and 2FA

Really Simple Security offers two distinct approaches to Login Protection:

Two-Factor Authentication (2FA) adds an extra security layer by requiring users to verify their identity with a second step after entering their password. Even if an attacker obtains a password, they would still need this second factor to gain access.

  • Email verification: A verification code is sent to the user’s email address.
    • Pros: easy to use, no need to install additional apps
    • Cons: if the user’s e-mail address is compromised, attackers could intercept the verification code
  • TOTP/Authenticator app: Verification with time-based one-time passwords (TOTP), generated with authenticator apps like Google Authenticator.
    • Pros: improved security due to verification codes being generated on a separate device
    • Cons: installation of an authenticator app required, risk of losing access to the device with the authenticator app

Login Authentication (Passkey) takes a different approach: instead of remembering passwords, users can authenticate using their device’s built-in security features like fingerprint sensors or facial recognition.

  • Passkey Login: Secure, password-less authentication using cryptographic credentials; unique to each user and device.
    • Pros: significantly enhanced security with phishing resistance, no passwords to remember

Enabling Login Authentication and 2FA in Really Simple Security

To activate and manage Login Authentication/2FA functionality on your site, navigate to Security -> Settings -> Login Protection -> Login Authentication and activate the “Enable Two-Factor Authentication” slider.

  • In the “Enforce secure authentication for” field, select all of the user roles (e.g. Administrator) that are required to use Login Authentication or 2FA to log in.
    • To make secure authentication optional for certain user roles: do not add those user roles to the “Enforce secure authentication for” field
  • Enable the slider next to “Allow secure log in with Passkeys” to allow secure, password-less authentication with Passkeys.
  • In the “Allow grace period” field, configure the number of days that users have to set up their preferred authentication method.
    • Note: After the grace period expires, users in enforced roles who haven’t configured an authentication method will be unable to log in. Their status must be reset by an Administrator to restart their Grace Period.

 

Really Simple SSL - Enabling 2FA, configuration

 

Configuring available Login Authentication methods

With the “Enable Two-Factor Authentication” slider activated in the main section, you’ll find separate settings sections for each Login Authentication method.

Email Verification (2FA):

  • In the “Enable Email Authentication for” field, select which user roles can use email verification as their 2FA method.
    • Note: Email verification is not recommended for Administrator accounts, due to the possibility of the Administrator’s email account being compromised.

Authenticator App/TOTP (2FA):

  • In the “Enable TOTP Authentication for” field, select which user roles can use TOTP authentication.
    • Recommendation: Enforce TOTP or Passkey Login for Administrators as it provides stronger security by generating verification codes on a separate physical device.

Passkey Login (Login Authentication):

  • The “Allow secure log in with Passkeys” slider (in the main settings section) fully enables this authentication method, no further settings are required.
    • Passkeys provide the highest level of security and are recommended for all user roles.

 

Really Simple Security - Enable 2FA Methods

Setting up Login Authentication/2FA as a User

Which Login Authentication methods (E-mail/TOTP/Passkey Login) are available to a user, depends on the methods that you had previously enabled for their user role.

If all Login Authentication methods are available for a certain user role, the user will be presented with the following screen upon logging in, allowing them to select their preferred method:

Really Simple Security - 2FA/Login Authentication (TOTP + E-mail + Passkeys): configuration steps for site users

E-mail verification

If the E-mail verification method is selected, the user is prompted to enter a verification code sent via e-mail:

Really Simple Security - 2FA E-mail Verification Code

Authenticator App (TOTP)

If the Authenticator app (TOTP) method is selected, the user is prompted to configure their preferred authenticator app:

  1. Download the back-up codes by clicking the Download Backup Codes link
  2. Scan the QR code with your preferred authenticator app, or click “Copy the set-up key” to copy the key manually
  3. Enter the verification code as generated by your authenticator app and click Submit

Really Simple Security - 2FA TOTP / Authenticator App Configuration

Passkey

If the Passkey method is selected, the user will see a Passkey configuration screen with instructions to configure the passkey.

Really Simple Security - Pending Passkey Configuration

  • A system prompt from the browser or operating system will appear, asking to create a passkey (as shown in the below example on MacOS with “Use Touch ID to sign in”).
  • Follow the on-screen instructions to authenticate using their device’s built-in authentication method (e.g., Touch ID, or other biometric/security key options).

 

Really Simple Security - Configuring Passkey on MacOS

Once the setup is complete, the passkey will be created and stored securely in the user’s device’s password manager. The user can now use their passkey for future logins; without the need to enter a password.

Switching between Login Authentication and 2FA methods

Users can change their currently configured Login Authentication and 2FA method at any point in time.

  • Navigate to under Users -> Profile in the left-hand WordPress Menu, and scroll down the Profile page until you reach the Login Authentication section.
  • The “Selected provider” section allows you to switch between all Login Authentication methods that are ‘allowed’ for your user role.

Really Simple Security - Change Login Authentication/2FA method in Profile

Resetting the Login Authentication/2FA status of Users

The Users section contains an overview of the current Login Authentication settings for each registered user on the site, allowing administrator(s) to verify which method a user has selected and whether they have already completed the configuration.

This section includes the following information for each user:

  • Username: The user’s WordPress username
  • User Role: The role assigned to the user (e.g. Subscriber, Author, Administrator).
  • Method: The currently configured 2FA method ofr the user (e.g. E-mail, TOTP, Passkey).
  • Status: The current status of the user’s 2FA configuration (e.g. Active, Open, Disabled, Expired)
    • Active: 2FA is enabled, and the user has configured a 2FA method.
      • Click Reset to remove their current 2FA method, allowing the user to re-configure 2FA on their next login attempt.
    • Open: 2FA is enabled, but a 2FA method has not been configured by the user. The user will be prompted to configure 2FA on their next login attempt.
      • The Reset button is not applicable in this case.
    • Disabled: 2FA is enabled, but it is optional, and the user has not configured 2FA.
      • Click Reset to allow the user to configure 2FA on their next login attempt.
    • Expired: 2FA is enabled & required for the user, but the user has configured 2FA within the grace period; and their account is locked.
      • Click Reset to unlock the account & restart the Grace Period, allowing the user to configure 2FA on their next login attempt.

Really Simple Security - 2FA users and status overview

What to do if you’re locked out after enabling Login Authentication/2FA?

If a User is locked out due to Login Authentication/2FA

For example; a user may have lost access to their authenticator app, or the grace period to configure 2FA has expired:

  • Click the Reset button to reset the 2FA status of the selected user(s) and trigger the onboarding process again, allowing them to reconfigure their Login Authentication/2FA settings.

If the Administrator is locked out due to Login Authentication/2FA

If the Administrator of the site is locked out, they might be unable to reach the aforementioned “Users” section in the plugin’s settings to reset the account’s 2FA status here.

To disable Login Authentication in Really Simple Security and regain access to the site:

  • Create an empty file in the /wp-content/ folder of your website, and call it rsssl-safe-mode.lock.
  • The Login Authentication and 2FA requirements from Really Simple Security will be disabled as long as this file is present.

Really Simple Security - Disabling 2FA, debug instructions rsssl-safe-mode.lock file

This file disables the Login Authentication and 2FA checks on the login page, allowing you to log in once more.

After successfully logging in and resetting the Login Authentication settings for your Account (Login Protection -> Login Authentication -> Users -> Reset), you can safely remove the .lock file from the /wp-content/ directory to re-enable the feature.

Simple and Performant Security.
Easily improve site security with WordPress Hardening, Two-Factor Authentication (2FA), Login Protection, Vulnerability Detection and SSL certificate generation.