I personally feel 2FA is essential for a bit of extra security, and I have it turned on where ever I can (not just on wordpress). I use Google Authenticator on Android to generate all the 2FAs.

I’ve used three 2FA WordPress plugins so far. Here’s a review of all three of them and conclusion at the end.

  1. Google Authenticator for WordPress by Julien Liabeuf
  2. Google Authenticator – Two Factor Authentication by Miniorange
  3. 2FAS – Two Factor Authentication by 2FAS

What is 2FA?

2FA = Two factor authentication

Its a second transient password that must be entered after entering the first pre-set password before the system can log the user in. The transient password must be generated on a system seperate from the log-in system.

Google Authenticator for WordPress by Julien Liabeuf

I’ve been using this for about 9 months on one of my websites. In fact at that time, there were very few options for QP 2FA plugins, while today there’s a lot of choices.

When logging in on the wordpress site backend, it throws up the following window where one can enter the WP username and password and generate the 2FA from the auth app (I use Google Authenticator on my Android phone).

Its been working by and large just fine even with the latest version of WP (4.7 as of this writing), even though the plugin page gives the warning: This plugin hasn’t been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.

The backend interface is straightforward. The control settings are under “Settings > Authenticator”, but the main settings are under… confound it, where the hell are they? Haha, just goes to show you I dont know shit. I dug around for a few mins but couldnt figure out where I’d done the setting. Finally I went back to the tutorial for using the plugin. The “main” settings are under “Users > Your profile”. DUH! There is no need to register at some third-party site and jump through many different convoluted settings to get this working.

Well, its easy peasy then: generate the key, scan with the auth app, and dont forget to store the Recovery Code for a rainy day when the phone stops working.

What happens if you dont have access to the 2FA app??

Well this happened to me. A couple of weeks ago, my phone went for a toss and obviously I could not generate any 2FAs anymore. How to recover from this scenario to log into the 20 different services where I have 2FA registered is a story for another day.

Regarding the WP plugin “Google Authenticator for WordPress by Julien Liabeuf”, its simplicity itself. I used the recovery code that I’d generated when I’d first set it up. This disabled the 2FA, which is also the correct measure.

A week after that, I got a new phone and just regenerated a new key.

Google Authenticator – Two Factor Authentication by Miniorange

I’ve been using this for about 3 months on this website. When logging in on the wordpress site backend, first the regular WP login occurs, then a second prompt to enter the 2FA password appears.

It has been working by and large just fine even with the latest version of WP (4.7 as of this writing), though I’ve faced some niggling issues so far:

  1. From what I remember, when I’d first installed it, the backend interface was quite confusing. There were many tabs, screens, options, subscriptions models, incorrect/outdated info that it was a bit difficult to navigate without being a geek. Further you need to create an account on the miniOrange site and do some mucking around there as well. All in all, a process with a lot of friction. Still I managed it fine the first time when I set it up.
  2. Then a couple of weeks ago, my phone died and I had to turn off the 2FA on this site so that I could access it. I admit I spectacularly failed at finding a method to do this on their website after logging in. Turns out once again that I was being dumb and mucking around in the wrong place as usual. Instead all I had to was click on the option “Forgot phone” on the screen where the 2FA code is asked for. Once I did that, an email immediately arrived with a code I could use to login. Perfect.
  3. From yesterday, I was facing a new problem. After the WP login, the 2FA login screen didnt appear immediately. It took many tries before the 2FA login screen would show up. In the meanwhile, the WP login screen would keep showing up indicating error.
  4. Next I disabled the plugin and reenabled the plugin, and went through the full setup from scratch. I must say that the current setup is streamlined and intuitive. Setup the account on miniOrange > Setup 2FA using one of the methods (my choice is Google Auth) > Setup the required login settings and one is done.
  5. After this reenablement, I am not facing the problem I’d pointed out in #3 above.

All settings can be accessed under “miniOrange 2-Factor” top level item on the WP backend.

Update 1st week April, 2017

The same problem faced earlier (of the 2FA login screen not showing up) occurred again. And each time the WP login screen kept saying “error”. I dont have the time or inclination to debug this, so I’ve just uninstalled the plugin, and login is back to working.

What happens if you dont have access to the 2FA app??

Well this happened to me. A couple of weeks ago, my phone went for a toss and obviously I could not generate any 2FAs anymore. How to recover from this scenario to log into the 20 different services where I have 2FA registered is a story for another day.

Regarding the WP plugin “Google Authenticator – Two Factor Authentication by Miniorange”, its really quite easy. I clicked on the option “Forgot phone” on the screen where the 2FA code is asked for. Once I did that, an email immediately arrived with a code I could use to login. Perfect.

A week after that, I got a new phone and just regenerated a new key.

2FAS – Two Factor Authentication by 2FAS

I’ve installed this on two websites so far. The first one was very easy and painless and I had it setup in 30 secs. After installation/activation, there was a quick and dirty “signup” process where one had to provide an email ID.

But for the second installation on a client website I’ve setup, it’s not as straightforward it seems. I provided the same email ID at the same step, but it threw up an error:

So I clicked on “log into existing account” and then I get:

Problem is when the first setup was done, no link to their website to make an account was provided. Now I’ll have to go via reset password or create an account, etc etc. Too much trouble for a lazy bugger like me.

So I signed up with another email ID and proceeded. In one way this makes sense, since this is a client site and I’ve now signed up with my admin email ID on that domain.

After that its quite easy, the UI prompts for the configuration, and directly shows the Qr code to be scanned. The rest of the process is the same as any other 2FA setup.

After the usual WP login, the next screen prompts for the 2FA:

Update 1st Jan, 2017

Well I didnt realize when I set it up, but this plugin broke the frontend custom login (done via Ultimate Member). I realized it when I got a mail from the hosting server indicating that the custom cron job I’d set up failed, as follows:

Fatal error: Call to a member function get_error_codes() on null in /home/user/public_html/site/wp-content/plugins/2fas/TwoFAS/Authentication/TwoFAS_Login_Errors.php on line 16

Then I checked the front end login, and the login page was not even loading.

I dont have the time or inclination to debug this, so I’ve just uninstalled the plugin, and login is back to working.

What happens if you dont have access to the 2FA app??

Regarding the WP plugin “2FAS – Two Factor Authentication by 2FAS”, I dont know. In the 2FA prompt screen there is no way to indicate that one does not have access to the 2FA app.

No recovery code was created during the 2FA setup, so that cant be used.

Perhaps one has to create an account on their website, and then muck around for recovery.

In terms of utility to me, here’s my most arbitrary rating. Your mileage may vary.

  • Google Authenticator for WordPress by Julien Liabeuf 90%
  • Google Authenticator – Two Factor Authentication by Miniorange 70%
  • 2FAS – Two Factor Authentication by 2FAS 40%

End note

I’m a privacy nut and I quite dislike using intermediate thirty-party solutions for critical things like website login etc. This is one of the reasons I went with a paid solution like Ultimate Member – Social Login for social login to websites I set up, rather than have a third party in the middle with whom data is being shared, like OA Social Login by OneAll, or in fact MiniOrange’s Social Login offering.

For 2FA, I’m going to be sticking with Google Authenticator for WordPress by Julien Liabeuf for my needs.