Moving from Password Expirey to 2 Factor Authentication

Whether you have a large membership site or just a couple of administrators, it’s important to provide a secure login experience. Secure logins help to minimize the chances of data loss, identity theft, and fraud. There are many tools available to help you do this within your WordPress website. Here we will talk specifically about moving from a forced password expiry tool to using 2 Factor Authentication.

Choosing a 2 Factor Authentication tool

Before you can start using 2FA you need to take stock of how you want the process to work for users. Not all tools work the same, so you have to make sure whatever you pick is right for you. Do you need an app? Is SMS only ok? How many delivery options for the code would you like?

Here are a few examples of 2FA plugins that work a bit differently:

  • Google Authenticator – WordPress Two Factor Authentication (2FA)
    If this free plugin doesn’t offer everything you want, you can easily upgrade to premium versions that offer more robust options. With multilanguage support and multiple 2FA options, this is a great place to start and expand if needed.
  • Two-Factor
    Simple, free, and straightforward — this is perfect if all you’re looking for is an email-based 2FA option.
  • Two Factor Authentication
    This premium plugin is plenty robust and trusted by some very large websites. Emergency codes included!
  • Already Installed?
    If you have a security plugin installed, check your settings, review the options, and visit the plugin webpage. It’s possible you have a 2FA solution already available.

At the end of the day, you need to make sure your delivery options fit your users’ workflow and how they are equipped. For example, if your company has a ‘no cell phones at work’ policy, you don’t want to have an SMS 2FA tool. Conversely, email only might be problematic if you don’t have company email addresses.

Test it out

It’s very important that you use a staging website to enable and test a plugin like this before you activate it.

You can run into trouble with a tool that may conflict with your host or website code and lock you out unexpectedly. We actually had this happen when testing a few of the 2FA plugins available.

Moving from Password Expirey to 2 Factor Authentication: WordPress Admin Login one-time password incorrect

Understand how it works before you go live. Try all the various authentication methods and document what was easy and what was not during the process.

If you have a small user base, get them to test it too.

Inform your Users

Once you have chosen the best tool for you, you need to make sure you give your users instructions on how to use it. This can be done via a document in a knowledge base, a video, or whatever your preferred mode of communicating processes is. Your users need to know how it works.

Consider providing links to more in-depth how-to articles. Most tools you will enable are going to have information already available on how to use them. You can also try to anticipate any issues and give a couple of FAQs that you built from your experience testing the tool.

Give everyone a firm deadline, and be prepared to do some handholding for a couple of days following the switch.

Enjoy a secure login experience

Moving from Password Expirey to 2 Factor Authentication: WordPress Admin login verification code sent to email

And just like that, you have a more secure login experience! The most important thing here is that you test and communicate the change before going live.

If you have more questions you can always contact us!