WordPress factor authentication is an extra security layer for your WordPress website.
What does it mean 😅?
In this article you are going to see:
What is the Two Factor Authentication? What is the Two Factor Authentication?
Normally we log in to our website with the help of a username or email and password.
If somehow anyone guesses or hacks our password then they will access our website.
The Two Factor Authentication fixes this issue.
How does Two Factor Authentication add a security layer? How does Two Factor Authentication add a security layer?
Two factors provide a couple of different security layers.
Let’s see with the Email Codes Two Factor Authentication security layer method.
After enabling the Email Codes security layer (I’ll explain in the below section how to add/enable two-factor authentication) you’ll get a code on email after trying to log in.
E.g. After enabling Email Codes you’ll:
- You go to your website
- Enter your username/email and password
- If both are correct then you’ll see another form that asks for the security code
- You’ll get the security code on the email (Which you had set while enabling the email code 2-factor authentication)
- From the email inbox, you need to put into the form and press submit
- If its the right code then you’ll log in, if not then you’ll get an error
How Two Factor authentication works? How Two Factor authentication works?
In the above example we see that we need to enter:
- Correct username/email and password
- Enter the code which sends to the email in 2nd form
In short, If your website credentials are correct still you need to confirm your identity by entering the code which you get via email.
Email Codes are one of the Two Factor Authentication methods.
We have different Two Factor Authentication methods provided by different plugins.
What are the different Two Factor Authentication methods? What are the different Two Factor Authentication methods?
It depends on the plugin you want to use.
As of now, the Two-Factor plugin provides:
- Email codes
- Time-Based One-Time Passwords (TOTP)
- FIDO Universal 2nd Factor (U2F)
- Backup Codes
- Dummy Method (only for testing purposes)
Each method has its own way to validate user authentication.
Email Codes Email Codes
After enabling the Email codes, when we try to log in we get an email with the security code.
We need to fill that in to authenticate our identity.
Time-Based One-Time Passwords (TOTP) Time-Based One-Time Passwords (TOTP)
Time-Based One-Time Passwords (TOTP) is a something similar to Email codes
But we don’t get any code via email.
At the time of setting the TOTP, you need to use some 3rd party app to enable TOTP.
E.g. I’m explaining to you how it’ll work with Google Authenticator.
Suppose, we use the Google Authenticator to set up the TOTP.
We get the QR code which we scan with Google Authenticator.
After scanning it with Google Authenticator we see it in the Mobile app.
Google Authenticator each minute generates a new number.
After setting the Google Authenticator at the time of login we need to do:
- Enter a valid username/email and password
- We’ll see the add TOTP code screen
- Open Google Authenticator and see the code and enter the form
You’ll log in to your website.
Read more about enabling and using the TOTP on WordPress website.
Do we have any other authentication for Rest API? Do we have any other authentication for Rest API?
Yes. If you working on the Rest API then you’ll have two ways to authenticate the user.