To get started, you will need to install a Two-Factor Authentication app like Google Authenticator or Authy on your mobile device. In this example, we will be using Google Authenticator.
Once the app is configured with your site using Solid Security Pro, your WordPress site will require both your username and password and a verification code generated with the Google Authenticator app.
Google Authenticator creates a token of 6 digits that is only good once and changes every 30 seconds. Once configured, you can get verification codes without the need for a network or cellular connection.
Enabling Two-Factor Authentication in Solid Security Pro
1. Once you've installed Solid Security Pro on your WordPress site, navigate to Security -> Settings -> Features -> Two-Factor, and click the dropdown arrow.
2. To allow users to log in with Two-Factor Authentication, enable one or more of the Two-Factor providers in the list by checking the box next to it (Mobile App (TOTP), Email, or Backup Verification Codes).
If possible, we recommend that all providers should be enabled by selecting the "All Methods (recommended)" option. A provider should only be disabled if it will not work properly with your site. For instance, the email provider should not be enabled if your site cannot send emails.
Then, click Save.
3. Once Two-Factor Authentication has been activated within Solid Security Pro, any applicable user can then activate the feature for their own account by editing their WordPress User Profile.
Enabling from the WordPress User Profile
1. From the WordPress dashboard, visit Users -> Your Profile, scroll to the Solid Security Two-Factor Authentication section and click Configure to open the 2FA Onboarding prompt.
2. Enable the Mobile App method on the Select Methods step.
3. Scan the QR Code with your Mobile Authenticator App or click the View Secret button to see the 2FA secret.
If you have added the code snippet to bring back the old Solid Security 2FA UI (see "Potential Conflict" section here to know how to), you'll need to click the "View QR Code & Secret Key" button to view or generate the 2FA secret.
With the old UI, you can also choose which method will be your primary form of two-factor authentication.
Adding Your WordPress Site to the Google Authenticator App
1. Open the Google Authenticator App on your mobile device.
2. The app will walk you through the setup. Click Begin Setup.
3. On the next screen, you're given two ways to add a new site to your Google Authenticator app. Select Scan Barcode or Manual Entry.
4. For scan barcode, a QR code scanner will appear for you to scan the QR code included on your WordPress User profile page. Scan this QR code by pointing your phone camera at the screen (yep, this works.)
5. For the manual entry method, use the key provided above the QR code on your WordPress User Profile page.
6. Once Google Authenticator has recognized your QR code or key, a new site will be added to the app.
7. Once you have successfully set up the mobile app, you will need to enter the generated TOTP code in the Solid Security 2FA settings to register and verify the 2FA key.
For users with the old 2FA UI, return to Users > Your Profile and enter an authentication code, from your app, below the QR code.
8. Now, you can use the 6-digit code generated by the app to log in to your WordPress site (just note this code refreshes every 30 seconds).
Note: By default, Solid Security uses a server hosted on SolidWP servers to generate the QR codes used to set up your Mobile Apps. If you'd like to generate these QR codes locally, download the "Local QR Code" plugin from your SolidWP Member Panel or the GitHub repository.
Why do I see the "Mobile App Two-Factor is temporarily unavailable" message?
The Mobile App method will be unavailable when the Solid Security encryption key isn't properly rotated for certain users.
When this happens you'll need to reset your Mobile App 2FA method by clicking the "Generate New Secret" button on the 2FA settings. Use another method of getting the 2FA code to log in to your account first (Email or Backup Codes) and go to your WP Profile settings page to register a new 2FA secret for your Mobile App method.