A Comparison of WordPress Two-Factor Options
I’ve been thinking hard about two-factor authentication in the last few months. I think it’s great, but you can’t deny the hassle. So while I’ve enabled it on small number of my most valuable accounts, I admit that I’ve not put it everywhere. I don’t have it on my WordPress sites–partly from avoidance of the (admittedly, relatively minor) hassle it represents, more just out of inertia. Helpfully, I just found this solid article from the folks over at WP WhiteSecurity about what options exist for turning on two factor for WordPress.
Quick rundown: two-factor authentication is where you add a second level of “password” to your login, most often a quickly generated string of numbers that is sent to you via some means, most often SMS or smartphone notification. The great advantage of two-factor authentication is that your attacker needs to breach two different things for you to be compromised: both your password, and your phone. The core of the reason it strengthens your security is that most password-guessing attacks come from the internet, and thus are unlikely to have physical access to your phone. (And, less importantly, those with physical access to your device probably won’t know your password.) The core downside: you now need your phone to log in to any website.
It’s a great idea to turn it on for WordPress site you care about, and spurred on by this post, I’ll start playing with it myself soon.