iThemes Security Two-Factor Settings

Two-Factor Authentication 

 

Two-Factor Authentication greatly increases the strength of a user account by requiring a secondary code in addition to a username and password when logging in. Once Two-Factor Authentication is enabled, users can visit their profile to enable Two-Factor for their account.

user_2factor.png

The following settings allow you to enforce the use of Two-Factor on accounts based on different criteria.

2factor.png

Authentication Methods Available to Users

  • All Methods (recommended)
  • All Except Email
  • Select Methods Manually  

iThemes Security supports multiple Two-Factor methods: mobile app, email, and backup codes. Selecting "All Methods" is highly recommended so that users can use the method that works best for them.

Select Available Methods

Mobile App

Use a Two-Factor mobile app such as Authy or Google Authenticator (Android, iOS). The mobile app generates a time-sensitive code that must be supplied when logging in.


 Email

Time-sensitive codes are supplied via email to the email address associated with the user's account. Note: This WordPress site must support sending emails for this method to work (for example, sending WordPress-generated emails such as password reset and new account emails).


 Backup Authentication Codes

Provide a set of one-time use codes that can be used to login in the event the primary Two-Factor Authentication method is lost. Note: these codes are intended to be stored in a secure location.

User Type Protection

  • Privileged Users (recommended)
  • All Users (not recommended)
  • Select Roles Manually
  • Disabled  

Require user accounts of specific roles to use Two-Factor Authentication if the account doesn't already do so. The "Privileged Users" setting is highly recommended as this forces users that can change site settings, software, or content to use Two-Factor Authentication.

Disable Forced Two-Factor Authentication for Certain Users

  • None (recommended)
  • Select Roles Manually (not recommended)  

Disable forced Two-Factor Authentication and on-boarding for certain users. Users can still manually enroll in Two-Factor Authentication through their WordPress admin profile. This setting will override forced Two-Factor Authentication for Vulnerable User Protection and Vulnerable Site Protection for the selected users.

Note: We don’t recommend changing this from the default, as Two-Factor Authentication is important for all users, not just administrators.

Select Roles to Disable

  • Administrator
  •  Editor
  •  Author
  •  Contributor
  •  Subscriber
  •  Customer
  •  Shop manager
  •  Translator
  •  Employer
  •  Candidate
  •  SEO Manager
  •  SEO Editor

Vulnerable User Protection

Enforce Two-Factor Authentication for vulnerable users.

Require user accounts that are considered vulnerable, such as having a weak password or for recent brute force attacks, to use Two-Factor if the account doesn't already do so. Enabling this feature is highly recommended.

Vulnerable Site Protection

Enforce Two-Factor if the site is vulnerable.

Require all users to use Two-Factor Authentication when logging in if the site is vulnerable, such as running outdated or software known to be vulnerable. Enabling this feature is highly recommended.

Disable on First Login

Don't require a Two-Factor code when a user first logs in.

This simplifies the sign-up flow for users that require Two-Factor Authentication to be enabled for their account.

On-board Welcome Text

When you log in using a Two-Factor Authenticator you’ll be prompted to enter a secondary Authentication Code from your Phone or Email.




Customize the text shown to users at the beginning of the Two-Factor Authentication On-Board flow.

Application Passwords

  • Enabled (recommended)
  • Disabled
  • Select Roles Manually (not recommended)  

Application Passwords are used to allow authentication via non-interactive systems, such as XML-RPC or the REST API, without providing your actual password. They can be easily revoked, and can never be used for traditional logins to your website.

Select Roles for Application Passwords

  • Administrator
  •  Editor
  •  Author
  •  Contributor
  •  Subscriber



Powered by Zendesk