Two Factor Authentication (2FA) is a login process that requires two independent proofs of identity before granting access to an account. The first factor is usually something the user knows (a password). The second factor is something the user has (a smartphone with a TOTP app, a hardware security key like YubiKey, an SMS code, a push notification) or something the user is (fingerprint, face scan). Even if an attacker steals the password through phishing, a data breach or credential stuffing, they cannot log in without also controlling the second factor. Google reported in May 2019 that adding a recovery phone number blocks 100 percent of automated bot attacks, 99 percent of bulk phishing and 90 percent of targeted attacks. Microsoft published in 2019 that accounts using any form of 2FA are 99.9 percent less likely to be compromised.
How does Two Factor Authentication work?
The user enters username and password as usual. The server validates the password and then asks for the second factor. The second factor is delivered through one of these channels:
- TOTP (Time based One Time Password): a six digit code that changes every 30 seconds, generated by an app like Google Authenticator, Microsoft Authenticator, Authy, 1Password or Bitwarden. The algorithm (RFC 6238, published 2011) uses a shared secret and the current Unix time.
- Push notification: the server sends a request to a registered app (Duo Mobile, Microsoft Authenticator, Okta Verify) and the user taps Approve or Deny.
- SMS code: a six to eight digit code sent by text message. Convenient but vulnerable to SIM swap attacks. NIST SP 800 63B (Revision 3) discourages SMS as a sole second factor.
- Email code: similar to SMS but delivered to a verified email address.
- Hardware security key: a physical USB, NFC or Bluetooth device (YubiKey, Google Titan, Feitian, Nitrokey) that implements FIDO U2F or WebAuthn / FIDO2.
- Biometric factor: fingerprint, face scan or iris scan via Touch ID, Face ID, Windows Hello.
- Backup codes: a list of one time recovery codes printed at setup, used if the primary second factor is lost.
What is the difference between 2FA and MFA?
MFA (Multi Factor Authentication) is the umbrella term for any login that uses two or more factors. 2FA is a specific subset of MFA that uses exactly two factors. In everyday speech the terms are often used interchangeably. Some highly regulated environments (banks under PSD2, US federal systems under Executive Order 14028 of May 2021) require three factor authentication for the highest privilege actions.
Which 2FA method is the most secure?
- Passkeys / WebAuthn / FIDO2 hardware keys: phishing resistant by design because the credential is bound to the origin (domain) and cannot be reused on a fake site. YubiKey 5, Google Titan, Apple Passkeys, Windows Hello for Business. Recommended by CISA, NIST and Google for high value accounts.
- TOTP authenticator apps: strong, offline, free. Risk: phishing pages can capture the code if entered in real time on a fake site.
- Push notifications: strong, requires user attention. Risk: MFA fatigue attacks where attackers spam approval requests until a tired user taps Approve. The 2022 Uber breach used this technique.
- SMS codes: weakest of the listed methods. SIM swap attacks at the mobile carrier let an attacker receive the SMS. High profile victims include Twitter founder Jack Dorsey (August 2019).
- Email codes: only as strong as the email account itself. If the email is also protected by 2FA, acceptable as a fallback.
What are Passkeys?
Passkeys are a passwordless evolution of WebAuthn standardized by the FIDO Alliance and supported by Apple (iOS 16, September 2022), Google (Android 9+, ChromeOS, Chrome 108 in October 2022) and Microsoft (Windows 11). A passkey is a cryptographic key pair stored in a secure enclave (Apple Keychain, Google Password Manager, Windows Hello) or on a hardware token. The private key never leaves the device, the public key is registered with the website. Login uses a biometric prompt and is immune to phishing. WordPress supports passkeys through plugins like Two Factor or Passkeys for WordPress (2024).
How do I enable 2FA in WordPress?
WordPress core does not include 2FA. Use one of these plugins:
- Two Factor by the WP Two Factor Feature Team (free, on WordPress.org, over 40,000 active installations): TOTP, email, FIDO U2F, backup codes.
- Wordfence Login Security (free): TOTP, reCAPTCHA on login, XML RPC protection. Bundled inside the main Wordfence plugin or as a separate lightweight plugin.
- WP 2FA by Melapress (free + paid): TOTP, email, supports forcing 2FA for specific roles, grace period for setup.
- miniOrange Google Authenticator (free + paid): supports YubiKey, Duo, Authy, Google Authenticator.
- Jetpack: requires a WordPress.com account and uses WordPress.com 2FA.
Steps with the free Two Factor plugin:
- Install and activate the Two Factor plugin from
Plugins » Add New. - Open
Users » Profile, scroll to Two Factor Options. - Enable Time Based One Time Password (TOTP), scan the QR code with your authenticator app, enter the current six digit code and save.
- Also enable Backup Verification Codes, click Generate Codes, print and store them in a safe place.
- Optionally enable FIDO U2F Security Keys and register a YubiKey.
- Log out and test the login flow on a fresh browser session.
What is MFA fatigue and how can I prevent it?
MFA fatigue is a social engineering attack where the attacker has the password and triggers repeated push notifications hoping the user eventually taps Approve out of frustration. Mitigations:
- Use TOTP or hardware keys instead of push notifications for high value accounts.
- Enable number matching in push apps (Microsoft Authenticator since February 2023, Okta since 2022): the user must type a number shown on the login screen, not just tap a button.
- Alert the user and lock the account after several denied prompts.
- Train users to never approve unexpected prompts.
What standards govern 2FA?
| Standard | Year | Purpose |
|---|---|---|
| RFC 4226 (HOTP) | 2005 | HMAC based one time password (counter based) |
| RFC 6238 (TOTP) | 2011 | Time based one time password |
| FIDO U2F | 2014 | Hardware key second factor |
| FIDO2 / WebAuthn | 2019 (W3C Recommendation) | Passwordless and phishing resistant login |
| NIST SP 800 63B Rev 3 | 2017 | US federal guidelines, deprecates SMS |
| PSD2 SCA | 2019 (EU) | Strong Customer Authentication for payments |
| Passkeys (FIDO Alliance) | 2022 | Synced WebAuthn credentials across devices |
Common 2FA mistakes
- Storing backup codes in the same password manager as the password (single point of failure if the vault is compromised).
- Using the same SIM card for SMS 2FA and the password recovery email.
- Not registering a second hardware key as backup. If the only YubiKey is lost, account recovery becomes painful.
- Allowing email password reset without requiring 2FA on the reset flow. Many breaches reset the password via email, bypassing 2FA.
- Not enforcing 2FA for administrators in WordPress. A single unprotected admin account undermines every other security control.
How does InspectWP help with 2FA?
InspectWP detects whether a WordPress site exposes the default /wp-login.php without any visible 2FA challenge by analyzing the login page HTML and known 2FA plugin signatures. Sites with no second factor are flagged in the security section of the report.