Two-Factor Authentication
Two-Factor Authentication greatly increases the strength of a user account by requiring a secondary code in addition to a username and password when logging in.
The following settings allow you to enforce the use of Two-Factor on accounts based on different criteria.
Once Two-Factor Authentication is enabled, users can visit their WP Profile page to enable or update Two-Factor Authentication settings for their account by clicking the "Configure" button.
The Configure button will redirect the user to the 2FA Onboarding process where they can update the 2FA settings.
Potential Conflict!
Any plugin or theme that "hijacks" the default WordPress Login Screen (wp-login.php) in any way will conflict with configuring the 2FA settings, or enabling it in the first place. That's because under the hood SolidWP doesn't build a custom interface, instead relying on the familiar wp-login interface.
One example of a plugin that has a setting for disabling the wp-login.php screen is User Registration by WPEverest. Make sure to not use that feature if you want folks to be able to configure 2FA with Solid Security.
You can also try to force the old 2FA settings layout if you're using a plugin/theme that conflicts with the 2FA configuration behavior by adding this code to the wp-config.php file:
define ( 'SOLID_SECURITY_LEGACY_2FA_UI', true);
Note: 2FA is a feature of the free plugin, but the "Require 2FA" and "Remember This Device" User Groups settings remain Pro only.
Authentication Methods Available to Users
Solid Security supports multiple Two-Factor Authentication methods: Mobile App, Email, and Backup Authentication Codes. With this setting, you can choose which methods will be available for your users:
- All Methods (recommended)
- All Except Email
- Select Methods Manually
Select Available Methods
-
Mobile App
Use a Two-Factor mobile app such as Authy or Google Authenticator (Android, iOS). The mobile app generates a time-sensitive code that must be supplied when logging in.
-
Email
Time-sensitive codes are supplied via email to the email address associated with the user's account. Note: This WordPress site must support sending emails for this method to work (for example, sending WordPress-generated emails such as password reset and new account emails).
-
Backup Authentication Codes
Provide a set of one-time use codes that can be used to login in the event the primary Two-Factor Authentication method is lost. Note: These codes are intended to be stored in a secure location.
Selecting "All Methods" is highly recommended so that users can use the method that works best for them.
Note: If you choose to exclude the Email method from the available authentication methods, the "Require Two-Factor" setting in Security -> Settings -> User Groups won't be available.
Setup Flow
Disable on First Login
Don't require a Two-Factor authentication code when a user first logs in.
This simplifies the sign-up flow for users that require Two-Factor Authentication to be enabled for their account.
On-boarding Welcome Text
When you log in with Two-Factor Authentication enabled, you’ll be prompted to enter a secondary authentication code from your Phone or Email. You can customize the text shown to users at the beginning of the Two-Factor Authentication Onboarding flow.
Protection
Vulnerable User Protection
Enforce Two-Factor Authentication for vulnerable users.
Require user accounts that are considered vulnerable, such as having a weak password or for recent brute force attacks, to use Two-Factor if the account doesn't already do so. Enabling this feature is highly recommended.
This setting is only available on Solid Security Pro and requires the Email method to be available.
Vulnerable Site Protection
Enforce Two-Factor if the site is vulnerable.
Require all users to use Two-Factor Authentication when logging in if the site is vulnerable, such as running outdated or software known to be vulnerable. Enabling this feature is highly recommended.
This setting is only available on Solid Security Pro and requires the Email method to be available.