To get started you will need to install a Two-Factor Authentication app like Google Authenticator or Authy on your mobile device. In this example, we will be using Google Authenticator.
Once the app is configured with your site using iThemes Security Pro, your WordPress site will require both your username and password and a verification code generated with the Google Authenticator app.
Google Authenticator creates a token of 6 digits that is only good once and changes every 30 seconds. Once configured, you can get verification codes without the need for a network or cellular connection.
Enabling Two-Factor Authentication in iThemes Security Pro
1. Once you've installed iThemes Security Pro on your WordPress site, navigate to Security > Settings > Two-Factor, and click the settings icon.
2. To allow users to log in with Two-Factor Authentication, enable one or more of the Two-Factor providers in the list by checking the box next to it (Mobile App/Time-Based One-Time Password (TOTP), Email, or Backup Verification Codes).
If possible, we recommend that all providers should be enabled by selecting the "All Methods (recommended)" option. A provider should only be disabled if it will not work properly with your site. For instance, the email provider should not be enabled if your site cannot send emails.
Then, click Save.
3. Once Two-Factor Authentication has been activated within iThemes Security Pro, any applicable user can then activate the feature for their own account by editing their WordPress User Profile.
Enabling from the WordPress User Profile
1. From the WordPress dashboard, visit Users > Your Profile. Scroll to the Google Authenticator Settings section and click Enable next to Time-Based One-Time Password (TOTP). You can also select this method as your primary form of two-factor authentication.
2. Click the "View Time-Based One-Time Password Configuration Details" link.
3. You'll now see the QR Code and Secret key that will be used to set up your site in the Google Authenticator app.
Adding Your WordPress Site to the Google Authenticator App
1. Open the Google Authenticator App on your mobile device.
2. The app will walk you through the setup. Click Begin Setup.
3. On the next screen, you're given two ways to add a new site to your Google Authenticator app. Select Scan Barcode or Manual Entry.
4. For scan barcode, a QR code scanner will appear for you to scan the QR code included on your WordPress User profile page. Scan this QR code by pointing your phone camera at the screen (yep, this works.)
5. For the manual entry method, use the key provided above the QR code on your WordPress User Profile page.
6. Once Google Authenticator has recognized your QR code or key, a new site will be added to the app.
7. Once you have successfully set up the mobile app, you will need to return to Users > Your Profile and enter an authentication code, from your app, below the QR code.
8. Now, you can use the 6-digit code generated by the app to log in to your WordPress site (just note this code refreshes every 30 seconds).
Note: By default, iThemes Security uses a server hosted on iThemes.com servers to generate the QR codes used to set up your Mobile Apps. If you'd like to generate these QR codes locally, download the "Local QR Code" plugin from your Member Panel or the GitHub repository.