Two-Factor Authentication
Two-Factor Authentication greatly increases the strength of a user account by requiring a secondary code in addition to a username and password when logging in. Once Two-Factor Authentication is enabled, users can visit their profile to enable Two-Factor for their account.
The following settings allow you to enforce the use of Two-Factor on accounts based on different criteria.
| Authentication Methods Available to Users | All Methods (recommended)All Except EmailSelect Methods Manually Solid Security supports multiple Two-Factor methods: mobile app, email, and backup codes. Selecting "All Methods" is highly recommended so that users can use the method that works best for them. |
| Select Available Methods | Mobile App Use a Two-Factor mobile app such as Authy or Google Authenticator(Android, iOS). The mobile app generates a time-sensitive code that must be supplied when logging in. Time-sensitive codes are supplied via email to the email address associated with the user's account. Note: This WordPress site must support sending emails for this method to work (for example, sending WordPress-generated emails such as password reset and new account emails). Backup Authentication Codes Provide a set of one-time use codes that can be used to login in the event the primary Two-Factor Authentication method is lost. Note: these codes are intended to be stored in a secure location. |
| Disable Forced Two-Factor Authentication for Certain Users | - Privileged Users (recommended) - All Users (not recommended) - Select Roles Manually - Disabled Require user accounts of specific roles to use Two-Factor Authentication if the account doesn't already do so. The "Privileged Users" setting is highly recommended as this forces users who can change site settings, software, or content to use Two-Factor Authentication. |
| Select Roles to Disable | - Administrator - Editor - Author - Contributor - Subscriber - Customer - Shop manager - Translator Employer - Candidate - SEO Manager - SEO Editor |
| Vulnerable User Protection | Enforce Two-Factor Authentication for vulnerable users. Require user accounts that are considered vulnerable, such as having a weak password or for recent brute force attacks, to use Two-Factor if the account doesn't already do so. Enabling this feature is highly recommended. |
| Vulnerable Site Protection | Enforce Two-Factor if the site is vulnerable. Require all users to use Two-Factor Authentication when logging in if the site is vulnerable, such as running outdated or software known to be vulnerable. Enabling this feature is highly recommended. |
| Disable on First Login | Don't require a Two-Factor code when a user first logs in. This simplifies the sign-up flow for users that require Two-Factor Authentication to be enabled for their account. |
| On-board Welcome Text | When you log in using a Two-Factor Authenticator you’ll be prompted to enter a secondary Authentication Code from your Phone or Email. Customize the text shown to users at the beginning of the Two-Factor Authentication On-Board flow. |
| Application Passwords | - Enabled (recommended) - Disabled - Select Roles Manually (not recommended) Application Passwords are used to allow authentication via non-interactive systems, such as XML-RPC or the REST API, without providing your actual password. They can be easily revoked and can never be used for traditional logins to your website. |
| Select Roles for Application Passwords | - Administrator - Editor - Author - Contributor - Subscriber |
Note: 2FA is now a free feature, but the Require 2FA and Remember This Device features remain Pro only.