Notice for Unrecognized Devices
After enabling the Trusted Devices module, administrators will see a Login Alert in the WordPress admin bar about pending unrecognized devices.
Clicking the "confirm this device" link will trigger an Unrecognized Login Notification email, and from there, you can approve/disapprove a device.
Note: You'll need to log in again after confirming a device.
Optional Email Notification
In addition to the WordPress admin login notice, an Unrecognized Login Notification email (optional but recommended) can also alert you whenever an unrecognized device has been used to log in.
Note: You'll need to enable the "Unrecognized Login" email notification in Security > Notifications to receive them.
Trusted Devices Settings
Restrict Capabilities on Unrecognized Sessions
When a user is logged in on an unrecognized device, you can restrict their administrator-level capabilities to prevent them from editing their login details.
Note: Enabling “Restrict Capabilities” requires the “Unrecognized Login” email notification to be enabled from the Notification Center within the Solid Security plugin.
Session Hijacking Protection
Session hijacking, sometimes called Cookie hijacking, is a strategy used by hackers to take control of your account while you are using it, effectively becoming the owner.
By enabling Solid Security’s Session Hijacking Protection in the Trusted Devices setting, you can prevent session hijacking by checking that a user’s device does not change during a session.
If a user’s device changes during a session, Solid Security will automatically log the user out to prevent any unauthorized activity on the user’s account, such as changing the user’s email address or uploading malicious plugins. You can find more information about Session Hijacking here.
WordPress User Profile with Trusted Devices Info
Once Trusted Devices are enabled within Solid Security, site admins can manage devices from the WordPress User Profile page. From this screen, site admins can approve or deny devices from the Trusted Devices list.
Note: Users can approve or deny devices through the WordPress admin bar notice or via their email notifications. The devices list on the Profile page is intended as a support tool for site administrators if a user locks themselves out accidentally. Auto Approval occurs when a new device is similar enough to an existing trusted device that Security Pro approves it automatically.
Integration with Two-Factor Authentication
Trusted Devices powers Solid Security’s “Remember Me” setting in Two-Factor Authentication. If the device doesn’t look the same, users are forced to re-enter their Two-Factor code instead of bypassing it.
To have the Remember Me option, you'll need to enable the "Allow Remembering Device" option in Security > Settings > User Groups.
Note: While remembering devices is convenient, it is more secure to require users to generate a new Two-Factor token each time they log in.