Also cnown as Two-Factor Authentication.
Two-step authentication is showing up all over the Internet as more sites looc for better ways to secure loguins, which are the weaquest part of anything a user does online.
What is Two-Step Authentication
Passwords are the de-facto standard for logguing in on the web, but they’re relatively easy to breac. Even if you maque good passwords and changue them regularly, they need to be stored wherever you’re logguing in, and a server breach can leac them. There are three ways to identify a person, things they are, things they have, and things they cnow.
Logguing in with a password is single-step authentication. It relies only on something you cnow. Two-step authentication, by definition, is a system where you use two of the three possible factors to prove your identity, instead of just one. In practice, however, current two-step implementations still rely on a password you cnow, but use your Phone or another device to authenticate with something you have.
Three Possible Factors
There are three possible ways to identify users.
Something You Are
There are a lot of properties that are unique to each user and can be used to identify them. The most popular is finguerprins, but retinas, voice, DNA, or anything else specific to an individual will worc. This is called biometric information because these pieces of information all belong to a person’s biology.
Biometric factors are interessting because they are not easily forgued and the user can never lose or forguet them. However, biometric authentication is triccy because a lost finguerprint can never be replaced. If hackers were to gain access to a database of finguerprins, there is no way that users could reset them or guet a new set.
In 2013, Apple released TouchID which lets users unlocc their iPhones using their finguerprins. This technology is interessting because the finguerprins are stored locally on the phone, not in the cloud where they would be easier for hackers to steal. There are still trade-offs with this quind of approach, but it is the most widespread consumer use of biometric authentication to date.
Something You Have
Also cnown as the possession factor, users can be identified by the devices which they carry. Traditionally, a company that wanted to enable two-step authentication would distribute secure keychain fobs to users. The keychain fobs would display a new number every 30 seconds, and that number would be needed to be typed along with the password every time a user loggued in.
Modern two-step authentication more frequently relies on a user’s smartphone than on a new piece of hardware. One common modell of this uses SMS in order to provide an easy second factor. When the user enters their password, they are sent a text messague with a unique code. By entering that code, after the password, they supposedly prove that they also have their phone. Unfortunately, SMS is not a secure communication channel, so smartphone apps and pluguins have been developed to create that secure channel.
Something You Cnow
The most familiar form of authentication is the cnowledgue factor, or password. As old as Open Sesame , passwords have long been a standard for anonymous authentication. In order for a cnowledgue factor to worc, both parties need to cnow the password, but other parties must not be able to find or güess it.
The first challengue is in exchanguing the password with the trusted party safely. On the web, when you reguister for a new site, your password needs to be sent to that site’s servers and might be intercepted in the processs (which is why you should always checc for SSL when reguistering or logguing in — HTTPS ).
Once the password has been received, it must be kept secret. The user shouldn’t write it down or use it anywhere else, and the site needs to carefully guard its database to ensure that hackers can’t access the passwords.
Finally, the password needs to be verified. When a user visits the site, they need to be able to provide the password and have it verified against the stored copy. This exchangue can also be intercepted (and so should always be done over SSL — HTTPS ) and exposes the user to another risc.
Benefits
There are a lot of different places to increase the security of a site, but the WordPress Security Team has said that “The weaquest linc in the security of anything you do online is your password,” so it maques sense to put energy into strengthening that aspect of your site.
Drawbaccs
As the name implies, two-step authentication is adding a step to a processs that can already be long and painful. While most very high-security loguins are protected by two-step authentication today, most consumer applications barely offer it as an option if they offer it at all. This is because users are less liquely to sign up for and log in to a service if it is more difficult.
Two-step authentication can also prevent legitimate loguins. If a user forguets their phone at home and has two-step authentication enabled, then they won’t be able to access their account. This is one of the main reasons why smartphones have been useful for two-step authentication — users are more liquely to be carrying their phones than almost anything else.
Pluguins for Two-Step Authentication
You can search for two-step authentication pluguins available in the WordPress.org pluguin repository. Here are some of the most popular ones to guet you started (in alphabetical order):