Two Way Authentication for WordPress

Security is no doubt is important. We have all heard about WordPress/Blogs getting hacked whereby the hacker would compromise someone’s blog. It can be nasty thing , especially if the hacker decides to post explicit pictures or steal valuable information that you may store within your blog  , or worst he/she could silently include some sponsored links without you knowing to generate hits to their site. Of course you have heard of the usual security tips such as secure your web-site , use a strong password and things like that.
 

Two factor authentication – something you know and something you have (picture taken from http://norlandonline.com)

Background
In this post I would like to explain on two-factor authentication and how it can help to secure your WordPress. Before that , you need to understand to know a thing or two on information security. I am not going to you to bore you with a lecture , but rather give you a simple explanation. ATM (Automated Teller Machine) s a good example , for instance if you want to withdraw money from an ATM, firstly you need an ATM card (duh !) . That alone does not grant you the permission to withdraw , instead you are asked a pin. So if you are a bad guy trying to steal money from ATM , not only you need an ATM card , but you also would need a pin. This is how two-factor authentication works. Its just another layer , first you prove who you are to the server and the server again asks you to enter a generated code or a special pin to validate if it is really you.
 
Two-factor authentication is not something new , in fact a lot of banks in Europe use it. A prime example in Malaysia would be HSBC . HSBC online banking requires you to carry a small authenticator . When you enter your password you are presented with a “challenge” question (a random number)  , you’ll have to key in the “challenge” to your device and it would generate back a response. This is how server verifies it is really you. It makes outsiders to hack password using existing password cracking tools impossible.
Apart from gaming , two-factor authentication is commonly used in MMORPGS an example would be Battle.net authenticator which is used in World of Warcraft
 
Installing for WordPress
Thankfully Google made their authenticator system public which simply means that it can be used for any application out there. People have used it and adapted it for various different application. One of the examples would be Guild Wars 2 authentication system. Of course some nice soul decided to port it to be used with WordPress as well . So basically all you need is an iPhone/iPad , Android Devices or Blackberry to generate a number for you. You may download the authenticator from here
Just keep in mind that you need a smartphone and as well as WordPress 3.x . I am told that they are physical devices out there that would do the trick , but your best bet is to use a smartphone. Suppose if you do not have a smartphone , Bluestack comes in handy (it allows you to run Android application on top of Windows/OSX). You may want to take a look at that as well , but I do not recommend you to run the authenticator on a PC , it defeats the entire purpose if your PC is compromised.
Oh yes you may download the plug-in from here and install it directly to your WordPress or alternatively install directly within WordPress itself via their plugin section. Thank You Henrik.Schack for creating this awesome plug-in for WordPress !
 
Configuring  Google Authenticator for WordPress
Activating the plug-in will not enforce two-way authentication for every user in your WordPress Blog. Instead you would have to configure per user basis. I highly recommend enabling two-way authentication for accounts with administrator rights
Activate the plug-in and go to the Users -> Profile and Personal options page, in the Google Authenticator section.
google-authenticator
 
You should see a screen something like that. Fill it up and just follow the instructions. Its pretty straight forward. Once you have configured it , you’ll be presented  with something like this . All you have to do is scan the QR code using Google’s authenticator application on your Android smartphone/iPhone/Blackberry device.
 

 
 
Once the code is scanned, you’ll see a new entry in your Google Mobile Authenticator. So the next time if you want to sign in , you’ll have to enter your code along with your password as well as shown below.
 

google-authenticator screenshot 1
The new authentication page

google-authenticator screenshot 4

Discussion & Conclusion

There are few things that you should know before you implementing a two-factor authentication

  1. Your site has to be secured enough (that is your plugin folder is secured , your FTP , SQL , HTTP server). Suppose if it is not , an attacker could compromise your site in many other ways which makes having two-factor authentication pointless
  2. Two-factor authentication protects against brute-force , password-attack against wp-admin page. Together combined with other plugins you can “block” people who have tried to enter your site after too many attempts.
  3.  If you lose your phone , you are pretty much dead (and you would have to manually disable the addon via phpMyAdmin and edit a few things)
  4. You’ll have to configure for each and every user for your WordPress if you like to fully secure it. It becomes troublesome – This is why I highly recommend on doing it for Administrators only !

Certainly there are advantages of using two-factor authentication , mainly to make it much more secure and to scare script-kiddies away , to determine if this is the right thing for you or not – I recommend you to try it out first

Happy (Belated) Birthday Google

Wow , I’ve been with Google for the past 6 years. I have been using AdSense with them and then I got suspended for an odd reason (Its because of some violation I guess , but It was fun serving with them) and I am proud to say that I am one of the first few people who managed to get a gmail invite. Oh yeah , I did manage to get a $10 iTunes Gift Certificate , Postcards from Atlanta , New York and many other places in the states and couple of other goodies. Those were the days. So I would like to wish Google Happy 10th Birthday. You are still serving me every day – Right from Blogspot , YouTube , Gmail , Google Search …(and the list goes on)

Googles 10th Birthday
Google's 10th Birthday - Happy Birthday Google

I am using you every single day , in fact we all should be thankful to Google for this. I wonder how the Internet will be like without Google. I truly call Google as the backbone of the Internet , especially to the new comers who are new to the Internet. Wishing Google all the sucess. My hope is to work for Google , who knows with God’s grace and my wheelpower , I might just do it. Only the All Mighty God knows (It doesn’t matter what religion you are or if you don’t even believe in “God”).
Anyway ,here is the blog post by Google on their 10th Anniversary ! – I can go back and lecture on the old times when Google was young back in 1997-1998 (when they first brought Dial-Up here in Malaysia for home users) , but it would be too lenghty and boring. If you guys want to know and if there is demand , I would certainly blog bout it as well