If the name doesn't sell you, the man behind the plugin should. I've covered Joost's…
I’ve written about two-factor authentication before when I added Clef to the repo. Google Authenticator for WordPress allows you to use the Google Authenticator app to easily add two-factor authentication to your WordPress login screen, and let each user set up their own account.
What’s It Do?
Google Authenticator for WordPress adds a new text field to the WordPress login screen for people to enter their Google Authenticator code. For those unfamiliar, Google Authenticator is an app that anyone can install on their smartphone of choice (Android/iPhone/Blackberry/etc.). All you have to do is scan a QR code, and the app and your WordPress install will sync up. Then, a random code will generate on your app, that expires every 20 seconds or so, that must be entered alongside the username and password to log in. This is known as two-factor authentication, and it heightens security for your site, blocking outside attack.
The Google Authenticator for WordPress plugin allows you to activate the plugin so that users can use two-factor authorization if they want (or simply ignore it if they don’t) or you can “force” users to use it, which will ensure that any user accessing the site must enable the Google Authenticator app to log in. Each user sets up their own account and can use the device of their choice. The plugin also lets you tweak a few global settings.
How’s It Work?
When you install and activate the plugin, you will have to set it up to get it working. Go to Settings -> Authenticator to get started. The first thing to do is click “Activate plugin.” This will enable two-factor authentication on your site. However, this will not yet be required. We’ll get to that in a bit. You can also change the name of your site in the provided text box. This is what will show up on the Google Authenticator app after it has been set up.
In order to actually connect your WordPress install, you must first download the “Google Authenticator” app on your smartphone or mobile device. From there, click the Edit icon in the top right corner of the app, and the plus sign to add a new site. You will see two options, “Scan Barcode” and “Manual Entry.” Now, hop back over to your WordPress admin, and go to Users -> Your Profile and scroll down to the bottom of the page to the new “WP Google Authenticator” section. Now click “Generate Key.” Your page will refresh, and you will see a secret code at the bottom of the page, next to a button that says “Scan QR Code.” Click this button, then go back to the app on your phone and hit the “Scan Barcode” button in the Google Authenticator app. Line up the camera on your phone to the QR code on your screen and voila! you have enabled two-factor authentication.
If you log out of your account and attempt to log back in, you will need to enter in the constantly changing 6 digit code on your Google Authenticator app into the provided field in order to log in. Other users on your site can repeat the steps above to add this extra layer of protection to their accounts, but it will not be required, yet.
If you do want to make sure users use two-factor authentication to log in, you can go to Settings -> Authenticator and check the box next to “Force Use.” If you do select this option, then users will not be able to log in unless they have set up their account with the Google Authenticator. However, users will be able to log in a few times without Google Authenticator so that they can set it up before being kicked out. When a user logs in for the first time after you have enabled “Force Use” there will be a red alert box at the top of the page that will inform users they need to set up Google Authentication with a link to their profile to do so. Users will be able to log in, by default, 3 times before they are kicked out, so they have a chance to set up their account. You can change this number, by changing the “Max Attempts” number in the Settings menu. The last option in Settings, “Authorized Clock Desynchronization” can be used to extend the amount of time the 6 digit code appears on an app before it expires.
If you want to allow a user to log in again after they have been kicked out, you can visit their profile page as an administrator, scroll down to the bottom and click the “Reset” button next to Login Attempts, so the user can log in again. You can also click the “Revoke Key” button after the account has been set up to reset a user entirely, which will force them to set up their account all over again.
Costs, Caveats, Etc.
For adding a bit of security, two-factor authentication can go a long way. And Google Authenticator is open and used by quite a few people, so it may be a good choice for your site, depending on the user base. The plugin is free, and if you are having any problems at all, visit the support forums to get help from the developer.