Single factor authentication is a risky business. It relies solely on something-you-know. If someone else obtains that information, then they can authenticate into your system. Two-Factor Authentication (TFA) relies on something-you-know AND (usually) something-you-have. The something-you-have (normally a phone, or dongle from the bank) provides a second authentication token that changes constantly. Without being in possession of these two factors, you are unable to authenticate.
Let’s suppose you have already password protected your wp-admin pages. Even if someone managed to hack around this extra layer of authentication, and had managed to obtain your WordPress login password (easy if your PC is infected with malware, or someone is able to sniff your network packets), then they would still not be able to login without also possessing the device which provides the other authentication factor – your phone.
If this is your first foray into Multi-Factor authentication then Duo Security may be a new name for you, but they are well respected within the InfoSec industry. Here’s a cute video showing you how it only takes 5 minutes…
The truth, however, is that it takes a little longer – but not that much longer, So, here is how to setup WordPress Two Factor authentication with Duo Security.
Step 1 – Install the Duo Security Two Factor app on your phone.
Duo Security support the most popular phone platforms already (I wonder when Ubuntu mobile will appear?!). Android users can get it from the Play Store, and iPhone/iPad users can get it from the App Store. Installation is free and takes a few moments. Once it’s installed you can close the app, but we’ll come back to it later.
Step 2 – Sign up for a free Duo Security account.
Pop along to the Duo Security signup page https://signup.duosecurity.com/ and fill out your basic details.
You will then be asked about what it is you want to secure with two factor authentication. Here are the answers for setting up WordPress two factor authentication.
You will then be emailed a link to activate your new account.
Step 3 –Activating your account
You will be asked to fill in some basic information, including your phone number for verification purposes. Click Submit. Then you will have to click on Text me or Call me to obtain a validation code via your phone.
Once you receive the code (mine took seconds) just enter it into the Login code box and click Submit.
Step 4 – The dashboard
Now you will be shown your Dashboard where you manage how your Duo Security account will be used. It looks quite complex, but we’re only going to use a couple of the features to get you started.
Before we go any further, we’ll just activate Duo Push for your future logins to your main Duo Security account. Without doing so you will need to rely on Passcodes being sent to your phone by SMS each time you want to manage your account, which will end up costing money.
So, click on Administrators from the left hand Dashboard column, and click on your name. You will see under Secondary Authentication that Duo Push is Not Activated. Click the Activate link.
This will display a QR code on the screen. Open the Duo Security App on your phone and click the plus icon. Here’s what that looks like on an iPhone.
Then tap the option to Scan Barcode, and point the phone’s camera at the QR code until it adds your administrative account. Once that’s done, you should be able to see the ADMIN account in the accounts list – this shows how it looks on the iPhone.
Step 5 – Integrating your WordPress site
Meanwhile, back in your main Duo Security account, click on Integrations from the left hand column. Then, from the Integration type drop down, choose WordPress (it’s probably right at the bottom).
In the Integration name, just enter the name for your WordPress website – this is not critical, it’s just a label.
Click Create Integration.
You will then see a page showing the details for your new Integration. Change the Policy to Deny Access and click Save Changes.
This will mean that even if someone were to manage to create a new WordPress user, they would not be able to login. We’ll come back to this screen later as we will need the Integration key, Secret key, and API hostname when installing the WordPress plugin (or copy them into an empty text document).
Step 6 – Create useraccount for WordPress user
Click on Users from the land hand column, and click the green + New User button at the top right. Enter the username you use to log into WordPress in the Username box. This must exactly match your wordpress login username. Click Add User.
You will then see the user details page. Add a Real name and Email addresss in the boxes provided. Make sure that the Status is Active. Click Save Changes.
Now, click the green + Add Phone button (about half way down the screen) and add your mobile phone number. Again, this has to be in the format +44 1234 123456. Click the Add Phone button once done.
Step 7 Activate Device
Now click on Devices from the left hand column, and click on your phone number in the list of devices. Fill in the Device name (e.g. Steve’s iPhone), select the Type of device from the drop down, and choose the Platform, depending on what operating system your phone is based on. Here’s the settings for an iPhone.
Click Save Changes.
You will notice the little Duo Mobile section at the top now has a Activate Duo Mobile link. Click the link.
On the next screen, make sure you have your phone with you, and click the Generate Duo Mobile Activation Code.
On the next screen, as you have already installed the app, you can untick Installation instructions. Click the Send Instructions by SMS button.
Within a few moments you will receive an SMS containing a hyperlink. Tap the link and your phone should automatically add your new Duo user account to the Duo Security app. That’s it. You should now have two accounts in Duo Security app – one for your admin account, and the other for your actual WordPress login.
Don’t close the browser yet though – go back to the Integrations menu and click on your Integration from the list on the right as we will need the information from there in a short while.
Step 8 – Installing the WordPress Plugin
From the WordPress Dashboard, select the Plugins > Add New menu item. Search for “Duo” – it should be enough to find Duo Two-Factor Authentication. Install the plugin.
Once the plugin is installed, select the Settings > Duo Two-Factor menu item.
Copy the Integration key, Secret key and API hostname from the Duo Integration settings screen (that you opened at the end of Step 7 above) into the text boxes provided as shown and click Save Changes.
That’s it! The plugin is configured.
Step 9 – Putting it all together
OK, we want to test all is well using an unauthenticated web browser session, so you can either log out of WordPress – or if you are more cautious, open a different web browser, or open a private window in the same web browser (New Incognito Window in Chrome, or New Private Window in Firefox, for example). Go to your normal WordPress login screen – looks normal enough?
Log in as normal, and then you will get the second factor Duo Security login screen.
Step 10 – Logging in
To login you can do one of four things. Two options are free, and two cost money each time you use them, so you would have to buy credit from Duo.
- Duo Push (FREE) – this sends a push notification to your phone, which opens the app and you just have to press a big red or green button to disallow or allow the login – easy!
- Phone Call (Subscription Only) – the system calls your phone and gives you a passcode to type in.
- Passcode (FREE) – using your phone app, just click the little key icon to reveal a passcode that you can type in the Passcode box. This will work if you don’t have a good internet connection on your phone. Remember to use the right account – your ADMIN account is only for logging into the Duo Security website to manage your account.
- Send SMS Passcode (Subscription Only) – If your phone doesn’t have a Duo App, then you can get a passcode sent to you by SMS, which you then type into the Passcode box.
If you have an iOS or Android phone then Push is the way to go. And here’s how it goes…
Having selected Direct Push from the options, click the Log In button. After a few moments your phone should spring into life, informing you that Duo Security wants your attention. Here’s how it looks on the iPhone.
On Android the alert will appear in the notifications pane (swipe down top left corner of screen).
Tap on the alert (Android) or tap Launch (iPhone) and you will then be able to approve or deny the login. Again, on the iPhone it looks like this.
Simply tap the Approve button, and after a few moments WordPress will let you in as normal.
Congratulations, you have now successfully protected your WordPress login using two-factor authentication.