WordPress.com boosts security for bloggers with two-factor authentication

Filed Under: Cryptography, Featured

Automattic, the company behind the wildly-popular blog hosting platform WordPress.com, has announced the immediate availability of 2FA (two-factor authentication) for WordPress.com account holders.

Like Apple, which recently did something similar but chose to call it two step verification, WordPress has gone for its own name, referring to the feature as two step authentication.

Whether you call it 2FA, 2SV or 2SA doesn't really matter, because the underlying idea is the same: introduce single-use passwords that are unique to each login.

As a result, attackers can't get anywhere simply by stealing your regular username and password combination.

→ There are many ways that a long-term password can fall into the hands of the bad guys. If you use the same password on multiple websites, you risk losing it if any of those sites get hacked. If you are infected with malware, you risk having your password keylogged every time you enter it. If you share your password with someone else, for example when you are in a hurry to get a time-critical business blog posted, you run the risk that they might lose it for you.

One-time passwords aren't perfect - no security system is - but they raise the bar steeply for cybercrooks.

That's because the crooks can't just beg, steal or borrow your password today and use it at their leisure tomorrow.

They need to interpose themselves every time you login, in order to recover the one-time code.

And if the one-time code is generated by, or delivered to, a device that is separate from the computer or device on which you actually do your work, then the job is even harder for the crooks. (Not impossible, of course. But much harder.)

How it works

For WordPress, Automattic has introduced two options.

You can download and use the Google Authenticator software and use it to generate one-time login codes on iOS, Android or BlackBerry devices.

Or you can choose to have your login codes delivered to a mobile phone via SMS.

With Wikipedia estimating that WordPress powers more than 60 million websites worldwide, anything that might improve the safety and security of WordPress users is to be welcomed.

After all, if malcontents get hold of your WordPress login, they can use it to attack you, your reputation, your brand, and, by uploading malware or malicious links, to attack your users.

It doesn't really matter if you have a high-traffic server or a boutique website, since both represent a free ride to the crooks.

And that brings us to the $64,000 question: if you're a WordPress user, should you enable this feature, and does it get in the way?

Do we recommend it?

As you may know: Naked Security itself is hosted by WordPress.com VIP; I'm a keen supporter of 2FA; and I like the guys at Automattic...so who better to answer those questions than Yours Truly?

For what it's worth, I decided to use the SMS-based version, thus ensuring that my login codes are delivered neither to my laptop nor my tablet, but to a vanilla mobile phone.

This turns what might otherwise be merely two step authentication (where I login on the same device to which the code was sent) into something I consider to be two factor authentication.

It was easy to set up.

I headed to the Security tab of my WordPress Settings page:

I chose the link offering Two Step Authentication via SMS:

Within about five seconds I received a one-time, digits-only, setup code.

(Judging by the list of countries in the configuration dialog, the SMS service is available everywhere.)

WordPress emailed me to confirm that someone had enabled this new feature:

And then I clicked through to the Printing out some backup codes option to get hold of ten codes that I can use in emergencies:

NB. Do not store the backup codes on your computer, phone or tablet. Copy them down onto a piece of paper and lock them up at home. If a crook stole them from your PC, he'd be able to bypass 2FA, and then to reconfigure it.

Obviously, I haven't been using the service for very long - less than a day! - so I can't promise you that the system is going to perform flawlessly for ever, but my immediate impression is that it is working very well.

I login as usual, with my username and password, and then wait for a verification code, which I enter as the second authentication step:

So far, the SMSes have been appearing on my phone within a second of the verification dialog popping up, so the inconvenience has been negligible.

Should you enable the feature, and does it get in the way?

Yes. No. Recommended.

, , , , ,

You might like

9 Responses to WordPress.com boosts security for bloggers with two-factor authentication

  1. I have had sites hacked. This is a great idea. I'm going to start using it ASAP! Thanks for the update! I now use a number of security items, but this is awesome. I'll be teaching my clients as well.

  2. wally · 912 days ago

    Two factor is not the perfect solution. Call me a dinosaur, but I and probably others, are strictly desk/lap/top. No mobile devices.
    I do use very strong unique passwords and wouldn't mind additional security as long as it is still viable for users such as myself.

    • Paul Ducklin · 912 days ago

      I suppose that WordPress could offer standlone authentication tokens (like many banks do) for those people who don't have a mobile phone, but you could hardly expect WordPress to provision and ship them for free, especially if you're a user of one of the free versions of their software/services.

      So, given that you'd reasonably expect to be charged for a 2FA token, you could consider buying a cheap prepaid mobile phone instead, *just to use as a token*.

      Remember that your "unique" passwords are unique only to each account, not to each login. One-time passwords do add security, but to have a second authentication factor that isn't based on your desktop/laptop, well...you need a second device!

      (I find carrying around 60g of mobile phone satisfactory for 2FA of this sort. It's only a phone - no browser, camera, ebook reader, GPS, etc. - so it goes a week or more on one charge; it's unlocked and can therefore be used with any prepaid SIM on any network; and it cost me about $10...I consider that to be a cost-effective and convenient compromise.)

      • Dave · 911 days ago

        it's unlocked and can therefore be used with any prepaid SIM on any network;

        ^^ Just remember to reconfigure the number it sends your keys to when you do change :)

        Do you know if this is being implemented in the self hosted version of WordPress?

        • Paul Ducklin · 908 days ago

          The 2FA applies to logins via wordpress.com (this includes other sorts of login that use wordpress.com accounts, such as IntenseDebate and PolllDaddy).

          I'm told there are plugins that will let you use wordpress.com authentication from your own WP site, thus benefitting from this...but I don't have a self-hosted WordPress blog, so I can't vouch for this claim :-)

        • I had clients with self hosted versions and the deadly username/password combo admin/admin to their admin pages. And they refused to change it.

          So, I made this plugin which is kind of two-factor-auth but uses email instead of a text message/SMS. In this case of brute-force/guessing hacked sites, this plugin would have secured all sites.

          I don't know if its ok to post a link to my plugin here, but I don't make any money from it and has no "Donate" link.
          Please, remove the link if I'm crossing the line.

          I just figured this could help people secure their sites. :)

  3. Paul Wagenseil · 909 days ago

    Paul, this new feature applies only to blogs hosted on WordPress.com, right?

    I have a feeling many, if not most, of the 60 million WordPress-powered blogs cited by Automattic are "self-hosted" sites not linked to WordPress.com.

    Automattic seems to deliberately confuse WordPress, the free-to-use platform, with WordPress.com, the commercial hosting service, in its promotional material. Here's another example: http://en.wordpress.com/notable-users/

    • Paul Ducklin · 908 days ago

      Please have a look at my reply to @Dave above...

      As for the 60,000,000 figure (at least, as for its mention by me in the article :-), I got it from Wikipedia and used it simply as an indication of the popularity of the WordPress brand, and thus the number of users and bloggers out there who might benefit from the new 2FA.

      Apologies if I gave the impression that I got that datum from Automattic...


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog