How to enable two-factor authentication
Two-factor authentication (2FA) is a method of logging in using additional authentication in addition to the username and password. This can be done, for example, via SMS or a Time-based One-Time Password (TOTP) application. We recommend the use of two-factor authentication as it will significantly improve the security of your website. Two-factor authentication protects your user account in situations where your password has been leaked to outsiders, or has been weak and easily guessed.
The TOTP app installed on your mobile device is more secure than many other two-factor login methods, such as SMS or email verification codes. One of the most popular TOTP apps is Google Authenticator, available for Android and iOS. Other examples of TOTP apps include Twilio Authy Authenticator and andOTP - OTP Authenticator.
How to set up Google Authenticator
Seravo recommends the Google Authenticator mobile app for two-factor authentication. It requires an existing Google Account to use it. If you already use Google Authenticator, you can go to the next step in the instructions to implement the Two-Factor plugin for your WordPress site.
1. On your computer, go to the security settings for your Google account: Security > How you sign in to Google > 2-Step Verification.
2. If you already have a 2-Step Verification method in place, such as Google Prompt and/or SMS verification, you can skip to step 7. Otherwise, Google has opened a page introducing 2-Step Verification. You can read through the page and then click forward on "Get started".
3. On the next page, select the mobile device you want to use. The smartphone you use most often is a good choice for this purpose. If you don't see the device you want to use listed, you'll need to add the Google Account you're using to that device. On Android, this is done via Settings, or on iOS by downloading the Google app from the App Store and signing in.
4. Next, you will be directed to add a backup option to your account. You have two options: SMS (default) or phone call. Check that your phone number is correct (or add it) and send an SMS confirmation.
5. It may take a while for the text message confirmation to arrive. However, if the message does not seem to arrive at all, check the phone number you entered and try resending the code using the "Resend" link. Enter the code received via SMS in the blank field and proceed.
6. Check your verification details and proceed by clicking on the "Turn on" button. At the same time you enabled the backup verification method, the Google Prompt verification method was also enabled and will now be the default way to verify your login.
7. Next, you can proceed to enable Authenticator from the "2-Step Verification" page where you were automatically redirected. Select "Authenticator app" and then "Set up authenticator".
8. Download Google Authenticator to your mobile device from its app store.
9. Open Google Authenticator. The first time you start the application, a few instructions screens will appear. Browse to the end and you will be taken to the main screen of the application.
10. Press the "Add a code" button or the + button in the bottom right corner of the app, then "Scan a QR code". Accept the use of the camera in the app. Then scan the QR code on your computer screen by pointing your mobile device's camera at it.
11. Your Google Account should now have appeared in the Authenticator app, with a six-digit authentication code underneath. A decreasing pie chart is displayed next to the code, indicating how long the code is still valid. By default, a new code is generated every 30 seconds. On your computer, press "Next" in the QR code screen, enter the code shown in the Authenticator and press "Verify".
12. Authenticator verification is now set up on your Google Account. You can now close the Google settings on your computer and proceed to add two-factor authentication to your WordPress site.
Setting up the Two-Factor plugin on your WordPress site
Seravo has the Two-Factor plugin pre-installed on all new installations. If your site does not have the plugin already installed, follow the instructions below. Otherwise, you can proceed to step 2, where the plugin will be enabled and connected to Google Authenticator.
1. Install the Two-Factor plugin from the WordPress admin panel or using the WP CLI command-line tool. The plugin can be found by searching for "two-factor" in the search field for plugins in the WordPress admin panel (Plugins > Add New).
The plugin can also be installed and activated using the WP CLI command
wp plugin install two-factor --activate.
2. Activate the Two-Factor plugin either in the installation window where you installed it or from the Plugins > Installed Plugins tab by clicking " Activate". Go to enable two-factor authentication from your WordPress profile page (Users > Profile). Enable Time-Based One-Time Password (TOTP) and set it as your primary authentication method.
3. Open Google Authenticator on your mobile device and add an account via the + button by selecting "Scan a QR code". Scan the QR code provided by the WordPress settings by pointing your mobile device's camera towards it.
4. The added account will appear in the list, from where you still need to enter the six-digit authentication code into the Authentication Code field on the WordPress settings page and press "Submit". Update the settings from the bottom of the page by clicking on "Update Profile". The setup is then complete. In the future, when you log in to your WordPress site, you will need to enter the code provided by Google Authenticator after your username and password.