Moving from Password Expirey to 2 Factor Authentication
Whether you have a large membership site or just a couple of administrators, it’s important to provide a secure login experience. Secure logins help to minimize the chances of data loss, identity theft, and fraud. There are many tools available to help you do this within your WordPress website. Today I will talk specifically about moving from a forced password expiry tool to using 2 Factor Authentication.
Choosing a 2FA tool
Before you can start using 2FA you need to take stock of how you want the process to work for users. Not all tools work the same, so you have to make sure whatever you pick is right for you. Do you need an app? Is SMS only ok? How many delivery options for the code would you like?
Here are a few examples of 2FA plugins that work a bit differently:
- Google Authenticator – WordPress Two Factor Authentication (2FA)
If this free plugin doesn’t offer everything you want, you can easily upgrade to premium versions that offer more robust options. With multilanguage support and multiple 2FA options, this is a great place to start and expand if needed.
Simple, free, and straight-forward — this is perfect if all you’re looking for is an email-based 2FA option.
- Two Factor Authentication
This premium plugin is plenty robust and trusted by some very large websites. Emergency codes included!
- Already Installed?
If you have a security plugin already installed, be sure to check your settings, options, and visit the plugin webpage. It’s possible you have a 2FA solution already available.
At the end of the day, you need to make sure your delivery options fit your users’ workflow and how they are equipped. For example, if your company has a ‘no cell phones at work’ policy, you don’t want to have an SMS 2FA tool. Conversely, if you don’t have company email addresses, email only might be problematic.
Test it out
It’s very important that you use a staging website to enable and test a plugin like this before you activate it.
You can run into trouble with a tool that may have a conflict with your host or your website code and may lock you out unexpectedly. We actually had this happen when testing a few of the 2FA plugins available.
Understand how it works before you go live. Try all the various authentication methods and document what was easy and what was not during the process.
If you have a small user base, get them to test it too.
Inform your Users
Once you have chosen the best tool for you, you need to make sure you give your users instructions on how to use it. This can be done via a document in a knowledge base, a video, or whatever your preferred mode of communicating processes is. Your users need to know how it works.
Consider providing links to more in-depth how-to articles. Most tools you will enable are going to have information already available on how to use them. You can also try to anticipate any issues and give a couple of FAQ that you built from your experience testing the tool.
Give everyone a firm deadline and be prepared to do some handholding for a couple of days following the switch.
Enjoy a secure login experience
And just like that, you have a more secure login experience! The most important thing here is that you test and communicate the change before going live.