5sec Google Authenticator 2-Step Login Protection Premium WordPress Plugin

 Settings – top

Global plugin settings are available under the Settings – 5sec Google Authenticator menu. Following settings can be adjusted;

• Disable two step authentication on RPC login – if you’re using any 3rd party apps such as WordPress for iOS you’ll have to disable two step authorisation for RPC apps because they don’t support it. If you don’t use such apps, don’t disable it; it’ll increase the site’s security.
• Auto logout after being idle for – if you often forget to log out or use public computers this is a great protection. After not clicking anything for the set amount of minutes a lightbox will pop up asking for username & password & OTP. After entering it you’ll continue to work normally without leaving the page. The process is completely unobtrusive.
• Secret login URL – in case you’re unable to login via username & password & OTP this URL will allow you to only use username & password. There’s no need to change this URL unless it has been compromised. Don’t share it with anyone except you fellow site admins.
• Send QR code to new users – when new users register they need to receive their authenticator QR code otherwise they wont be able to login. This option adds the QR code to the welcome email that has their username/password. If you choose not to send the QR code you’ll have to do it manually. By going to Users screen in WP amdin and selecting “send QR emails” from the bulk actions dropdown.
• Maximum number of failed login attempts before ban – please don’t set this number to a very low one because anybody can have a couple of failed login attempts. 5 failed attempts in 5 minutes is a reasonable number. After the time passes the counter is automatically reset.
• Ban time – 2 hours will cool down most attackers but if you’re experiencing heavy traffic you can even ban users forever (10 years to be more precise).
• Banned users – can either be completely banned from accessing the site or just banned from trying to login. In normal circumstances banning them from logging in is enough. If you experience heavy brute-force attacks then block completely.
• IP whitelist – list of IP addresses that are ignored by ban rules. Wildcards are not supported. Write one IP per line without leading zeros, ie: 192.168.1.12.

Per-user settings are available in each users’ profile. Following settings can be adjusted;

• Enable Two Step Authentication – only admins can change this setting. By default it’s enabled. Please note that disabling two step authentication even for one user will significantly lower your site’s security!
• Secret Key – users and admins can generate new secret keys. If you generate a new secret key you will have to add a new entry (scan the new QR code) in your mobile authenticator app. Old one will not work. Do not change the key unless you are having problems loggin in or the key has been compromised.
• QR Code – don’t forget to save settings and scan the new QR after chaning the secret key.

D) How does it work – top

Traditional one-step authentication uses a username (in most cases not a secret) and a password (only known to the user) to identify a user. If someone steals the password he gains full access to the protected resources. Two step login adds another protection layer.
Username and password are still used and a third piece of data is required to login – OTP (one time password). This password is generated for you every time you need to login by a OTP device often referred as a token device. In our case it’s the phone app. OTP is time bound meaning that once it’s generated have only have 2 minutes to use it. If someone steals one OTP it won’t do them much good. Also if you’re tricked into clicking “save my password” no harm will be done because the saved OTP will be useless in two minutes. Same goes if your username & password are compromised in any other way. The attacker won’t be able to login because they don’t have a valid OTP.
This technology has been utilised by banks for years and has been proven as very reliable. It does add some overhead for the end user as he has to generate an OTP for each login but the security benefits are more than obvious.

How does the plugin know which OTP is valid and which not?
In order for an OTP to be valid it has to meet two requirements: it can’t be too “old” and it has to belong to your account. You can’t use an OTP generated for somebody elses account. Each account has a secret key. That key is knows to WordPress and to your phone (that’s why you have to scan the QR code). Based on the key the phone generates an OTP and again, based on the key WordPress confirms that the entered OTP belongs to the specified user. If your secret key changes you won’t be able to login.

FAQ – top

Will this plugin slow my site down?

Absolutely not. Overhead that this plugin adds to WordPress is absolutely minimal.

Will it work on my theme?

Yes, it’s theme independant. If your theme has a custom login form make sure it uses all actions and filters the default WP login form does.

Will it work with plugin XYZ?

If the plugin is security related or modifies the login form there might be conflicts.

Is this plugin safe to use?

Of course.

I can’t login. It always says the OTP is wrong or expired.

Make sure your server’s and phone’s clocks are in sync. A difference of up to one minute is OK. Also make sure you scanned the right QR code. If you deactivated and activated the plugin all the QR codes will be regenerated and you have to use the latest one.

I locked myself out of my site.

As a last resort you can always delete/rename the plugin’s folder via FTP and it’ll deactivate.