I recently followed a rabbit hole that led me to a few two-factor authentication plugins for WordPress. For those that are unsure, as I most certainly was, two-factor authentication is a login process which asks users for two forms of identification before a login is successful, adding security to the admin section of your site.
This typically means pairing your mobile device to your desktop in order for a login to work. In some examples, this may mean an elimination of passwords altogehter. In others, it simply means that your site will be far better protected from attack.
So, without any more ado, here’s a roundup of three two-factor authentication WordPress plugins, Clef, LaunchKey, and Rublon. Each comes at multi-factor authentication from a different angle, so it’s up to you to decide which suits you best.
I just want to make a quick note here. This kind of security can be seriously advantageous for your average developer, but may be a bit much for your average user. Tech savvy and multiple gadgets are required. Not for the faint of heart.
First up, Clef. Clef’s advantage is that it’s easy to set up and start using. The first thing to do is download the Clef mobile app for your smartphone and set up an account with your email. You’ll be asked to verify that account, after which you can set a four number pin. The next thing you’ll see on your phone is a bouncing wave. Install and activate the plugin in WordPress, visit the Settings page, and match the wave on your phone to the wave on the Settings screen. Once the two line-up the app will automatically register your WordPress site, and you’ll be able to login using your phone.
Clef keeps things simple. Once you are logged in, a timer on your phone begins; you’ll be logged in for the next hour. So you can log in and out of your WordPress account from a paired device as many times as you would like in that time period, without having to enter a password. You can also remove the admin and username fields entirely from the login screen on the Clef settings page, though the plugin provides a fallback URL if you need access to this login form on occasion.
I like this plugin best for developers that create or are managing multiple sites. You can easily install the plugin on any number of sites, log into all of them simultaneously, and seamlessly move between them. The authentication mostly happens on your phone, so you’ll have to enter your pin to activate the app. But once things are set up for the first site, it’s easy to duplicate it across multiple installs.
If Clef is simple, Launchkey is robust. Launchkey’s game plan extends far beyond just WordPress sites, they want to be the turn key solution for password-less login across the board. They have implementation on Stack Exchange, HootSuite, Sourceforge, and integrate quite nicely with OpenID.
Launchkey’s emphasis is on the developer. Their software is completely open source, with a RESTful API, oAuth support, and ports in basically any programming language you can imagine, including SDK’s for iOS and Android developers. Ubiquity and a large feature set is in their crosshairs.
Setting up Launchkey with WordPress is similar to Clef. You install an app, set up an account and pair your smartphone with a computer. The difference is, though, that you have to access the Launchpad admin on your computer and set-up an app with your WordPress URL, which will generate an App ID and Secret Key. Then you install the plugin on your site, enter in this info and login one more time with your username and password to get set. After that, you can chose to login with Launchkey from the login screen, authorize that request on your phone, and you’ll be automatically logged in.
However, you will have to authenticate every time you log in to your site, not just on the first time, and there is no way to hide the login form. You’ll also have to set up a new app every time you have a new WordPress install. But once you have everything set-up, it’s easy for a developer to interact with the authentication experience and build it out however they want.
Launchkey works best for sites with lots of users, that want to offer Launchkey login support. The “Login with your phone” button sits unobstrusively at the bottom of your login screen should any user chose to use it, and it might be something that is much more common for users in the future. And again, with an ever-growing API and detailed Developer Docs, there are lots of ways to build out Launchkey to suit your needs if you have the know-how. (Disclaimer: I do not).
Rublon approaches multi-factor authentication a bit different from both Clef and Launchkey. Rather then remove passwords altogether, Rublon adds a layer of protection to your site, so it can’t be accessed from outside attack.
Once again, you first must install the Rublon app on your smartphone and set up an account with your email. Then you can pair your computer with the app using a QR code, which will add this computer to your “trusted devices” list. From this computer, install and activate the plugin on your WordPress install. You’ll have to line up your phone with your computer to scan the QR code once more, and your WordPress site will be protected by Rublon.
What this means, is that only users visiting your WordPress site from a trusted device will be able to login at all. If you try and login to your admin account from any other device, you will be blocked from entrance, unless you add that device to your “Trusted devices” list. But once a device is set-up, you’ll never have to worry about it again. There are no settings, the security layer is activated automatically.
Rublon works best for WordPress administrators who want to add more security to their site. It can easily be added across mutliple sites, and ensures that you are safe from any security vulnerabilities which sometimes pervade WordPress. But, if you find yourself logging in from many different devices that cannot be set up as trusted devices, Rublon may not be for you. However, there is no limit to trusted devices you can have.
• Clef is great for easy to set-up two-factor authentication across several different installs.
• Launchkey works best for the developer-minded and those who want to offer multiple login capabilities for their user.
• Rublon adds an extra layer of protection to your site so that only users logging in from trusted devices have access to the WordPress admin.
I have no doubt that multi-factor authentication is the wave of the future, and it’s already been implemented by some of the biggest online products around (think Google big). If you find that you are often accompained by your smartphone, and you want an easy way to keep your WordPress admin secure check out these plugins, and see which suits your needs the best. I have no doubt that the nerdiest among us will find the progress more then rewarding.
What’s been your experience with two-factor authentication in WordPress? Let me know in the comments.
Jay Hoffmann is a WordPress developer hailing from NYC. In the strictest sense of the word, he is a WordPress enthusiast with an eye for front-end development and design. He has been working with WordPress since 2006 and currently works for a popular children’s media company. This year, Jay started Tidy Repo, a curated list of the best and most reliable plugins from around the web.