Automattic, the company behind the wildly-popular blog hosting platform WordPress.com, has announced the immediate availability of 2FA (two-factor authentication) for WordPress.com account holders.
Like Apple, which recently did something similar but chose to call it two step verification, WordPress has gone for its own name, referring to the feature as two step authentication.
Whether you call it 2FA, 2SV or 2SA doesn’t really matter, because the underlying idea is the same: introduce single-use passwords that are unique to each login.
As a result, attackers can’t get anywhere simply by stealing your regular username and password combination.
→ There are many ways that a long-term password can fall into the hands of the bad guys. If you use the same password on multiple websites, you risk losing it if any of those sites get hacked. If you are infected with malware, you risk having your password keylogged every time you enter it. If you share your password with someone else, for example when you are in a hurry to get a time-critical business blog posted, you run the risk that they might lose it for you.
One-time passwords aren’t perfect – no security system is – but they raise the bar steeply for cybercrooks.
That’s because the crooks can’t just beg, steal or borrow your password today and use it at their leisure tomorrow.
They need to interpose themselves every time you login, in order to recover the one-time code.
And if the one-time code is generated by, or delivered to, a device that is separate from the computer or device on which you actually do your work, then the job is even harder for the crooks. (Not impossible, of course. But much harder.)
How it works
For WordPress, Automattic has introduced two options.
You can download and use the Google Authenticator software and use it to generate one-time login codes on iOS, Android or BlackBerry devices.
Or you can choose to have your login codes delivered to a mobile phone via SMS.
With Wikipedia estimating that WordPress powers more than 60 million websites worldwide, anything that might improve the safety and security of WordPress users is to be welcomed.
After all, if malcontents get hold of your WordPress login, they can use it to attack you, your reputation, your brand, and, by uploading malware or malicious links, to attack your users.
It doesn’t really matter if you have a high-traffic server or a boutique website, since both represent a free ride to the crooks.
And that brings us to the $64,000 question: if you’re a WordPress user, should you enable this feature, and does it get in the way?
Do we recommend it?
As you may know: Naked Security itself is hosted by WordPress.com VIP; I’m a keen supporter of 2FA; and I like the guys at Automattic…so who better to answer those questions than Yours Truly?
For what it’s worth, I decided to use the SMS-based version, thus ensuring that my login codes are delivered neither to my laptop nor my tablet, but to a vanilla mobile phone.
This turns what might otherwise be merely two step authentication (where I login on the same device to which the code was sent) into something I consider to be two factor authentication.
It was easy to set up.
I headed to the Security tab of my WordPress Settings page:
I chose the link offering Two Step Authentication via SMS:
Within about five seconds I received a one-time, digits-only, setup code.
(Judging by the list of countries in the configuration dialog, the SMS service is available everywhere.)
WordPress emailed me to confirm that someone had enabled this new feature:
And then I clicked through to the Printing out some backup codes option to get hold of ten codes that I can use in emergencies:
NB. Do not store the backup codes on your computer, phone or tablet. Copy them down onto a piece of paper and lock them up at home. If a crook stole them from your PC, he’d be able to bypass 2FA, and then to reconfigure it.
Obviously, I haven’t been using the service for very long – less than a day! – so I can’t promise you that the system is going to perform flawlessly for ever, but my immediate impression is that it is working very well.
I login as usual, with my username and password, and then wait for a verification code, which I enter as the second authentication step:
So far, the SMSes have been appearing on my phone within a second of the verification dialog popping up, so the inconvenience has been negligible.
Should you enable the feature, and does it get in the way?
Yes. No. Recommended.