The Ultimate Guide To Securing Your WordPress Login (For Free!) With Web Authentication

The Ultimate Guide To Securing Your WordPress Login (For Free!) With Web Authentication

Defender had already implemented Two-Factor Authentication (2FA) in WordPress for hardened security… now we’ve added fingerprint/facial recognition, and external hardware security keys, too!

It has become increasingly apparent that relying strictly on usernames and passwords for logins no longer offers the highest levels of security.

WPMU DEV’s solution to addressing this is through the use of the WebAuthn standard, which bypasses vulnerabilities by providing a protocol of public key cryptography as a login authentication method.

Our newest Defender release—both Free and Pro versions—marks the start of our odyssey into the world of Web Authentication; providing the ability to verify the authenticity of a user login by way of biometrics (facial or fingerprint recognition), or a USB security key (e.g., YubiKey).

Usage of these new web authentication methods is similar to the 2FA methods already present in Defender, alongside the existing TOTP (Time-based One-Time Password), backup codes, and fallback email authentication methods.

In this article, we’re going to look at how to implement these new Web Authentication methods, as part of our 2FA WordPress plugin features in Defender.

Continue reading, or jump ahead using these links:

Let’s explore all that Defender has to offer in the form of login protection with the cool new 2FA WebAuth features.

The All-Encompassing Defender

Defender gives you the best in WordPress plugin security, stopping SQL injections, cross-site scripting XSS, brute force login attacks—and other vulnerabilities—with a list of one-click hardening techniques that will instantly add layers of protection to your site.

It also makes safety easier on and for you, taking advantage of the latest in WebAuth security measures.

By way of a quick overview, here’s how this works in Defender… the user will input their username & password to log in, and if Platform authentication has been configured for that device, said user can verify their identity through their fingerprint scanner or facial recognition software. Likewise, if the Roaming authentication has been configured for that device, the user can verify their identity through their USB security key.

Because we’re using the WebAuthn protocol, Defender does not at any point receive any biometric or security key data, only a confirmation or rejection from the user’s device.

I want to interject here with a quick point of interest, shared by one of our techs, Marcel Oudejans (and paraphrased by me)…

The convention of naming a dog “Fido” was popularized by Abraham Lincoln, though its use as a canine pet name dates back to the ancient Romans.

Fido” means “faithful”. FIDO stands for “Fast IDentity Online”. The new Biometric authentication feature uses WebAuthn protocol from FIDO.

So in a lovely, roundabout way, by using the FIDO protocol to implement this feature, one could say we are infusing ‘faithfulness’ into Defender.

Synonyms for faithfulness
Faithful FIDO.

For more technical information on FIDO, check out this article.

Ok, now let’s take an in depth look at these awesome new Web Authentication features.

Full Walkthrough on Web Authentication

First, make sure you have the Defender plugin installed and activated, and update it to the latest version (at the time of this writing, that’s 3.1.1). Defender versions 3.0 and higher are fully compatible with the recently released WordPress 6.0.

Two important things to note up front:

  1. Configuration of authorized devices is required on a per-user basis, since authentication is linked to individual user accounts.
  2. PHP 7.2 or above is required, as it improves performance and security, while also supporting the new biometric feature.

Enable Biometric or USB Security Key

Navigate to the WordPress Dashboard > Defender. If you’ve just now updated, you’ll get the popup modal. Give it a quick read, then click the Got It button.

defender splashscreen
WPMU DEV’s WebAuth features have expanded again!

You’ll be on Defender’s main page now. From the left sidebar, click on the 2FA menu header.

Another popup will appear; click on the Activate button.

Defender activate 2FA
One-click activation in Defender.

Now you’ll see all the section information for Two-Factor Authentication, and all the options we have available here.

From the same Defender 2FA page, under User Roles > Administrator, toggle the button On. Make sure to scroll to the bottom and click on Save Changes.

Toggle on Admin user roles.
Permission to enable 2FA is given through User Roles.

From the Dashboard’s side menu, go to the Users section, and click on your Admin User profile.

Scroll down to the Security section, and next to Web Authentication, toggle the button ON.

web auth toggle on
Selecting the WebAuth feature in Defender.

You’ll see a recommendation to choose an additional authentication method from these options: TOTP, Backup Codes, and Fallback Email.

In the example below, you’ll see I’ve selected Fallback Email, but you can choose whatever method(s) you prefer. Remember to click the Update Profile button at bottom.

Selecting additional authentication methods
The selection of additional authentication methods available in Defender.

Web Authentication does not replace your traditional WordPress login (i.e., username & password), instead adds an additional secure layer, like the other authentication options above.

While many browsers and operating systems are compatible with the WebAuthn protocol used to manage the authentication process, some are currently not. Check here to see WebAuthn’s browser and OS compatibility list.

Register Device

With WebAuth authentication enabled, the Registered Device table will appear, with options to Register Device or Authenticate Device.

Registered device identifiers
Defender keeps a list of Registered Device identifiers.

Clicking the Register Device button will start the prompt from your browser to configure the form of Web Authentication you wish to use, depending on what’s available on your device.

Select an Authenticator Type, enter any name in the Authenticator Identifier field, then click the Start Registration button.

webauth register device
Inputting info to authenticate a device; in this case, a USB Security Key.

Depending on the authenticator type and device you are using, the registration process will differ.

WPMU DEV AccountPRO

Our best pro WP tools in one bundle

Try free for 7 days
30-day money-back

Example 1:

Registering a Windows desktop or laptop will prompt you to enter your Windows Hello PIN, or whatever other authentication method may be enabled on your device.

Windows hello PIN login
The Windows Hello sign in PIN entry.

Example 2:

Registering a mobile device will prompt you to touch the fingerprint sensor, or whatever other authentication method may be enabled on your device.

Verify fingerprint sensor
A sample fingerprint sensor authenticator window.

Example 3:

Registering a USB Security key will prompt you to go through a brief series of steps.

Back on your Users Profile page, if you scroll to the bottom under Security > Registered Device, you’ll see your device listed here, along with a message beneath it confirming it has indeed been registered.

webauth registered confirmation
Congrats! You’re registered. Next up… authentication.

The next step is to authenticate the device you just registered.

Authenticate Device

Once the device has been registered, click the Authenticate Device button.

The same authentication method used to register the device will prompt you to confirm the action.

authenticated device successfully
WebAuth device authentication confirmations for a Desktop PC, and a YubiKey.

Once done, you’ll see a success message appear. Now you’ll be able to use the registered WebAuth options as additional, secure ways to login to your site.

Rename or Delete Device

If desired, you can rename or delete any authenticated device.

Navigate to the WordPress Dashboard > Users, and click on your username.

To Rename:

From Profile > Security > Registered device, click on the Rename text in the Action column. Type the new name, and click Save.

Rename or delete registered device
Action options for registered devices.

To Delete:

Same process as above, but click on the Delete text in the Action column, then click OK from the next popup.

Confirm delete action
Confirming the delete of an authentication.

Be advised that the Delete action doesn’t save settings, so if you decide you want to use the Biometric feature from that device again, you will need to go through the full setup process.

Likewise, if you deactivate any WebAuth functionality on your device, the login will no longer work, and you would need to repeat the process on your device to restore the feature’s functionality.

GDPR Compliance

FIDO Alliance standards were created from the outset with a “privacy by design” approach and are a strong fit for GDPR compliance.

Because FIDO delivers authentication with no third-party involvement or tracking between accounts and services, biometric authentication with FIDO2 compatible devices is fully GDPR compliant.

With FIDO, no personally-identifying information ever leaves your device.

For more information, see the following article on the FIDO website: FIDO Authentication and GDPR.

Enabling Multiple 2FA Methods

If you enable more than one additional authentication method in your profile, each will display as alternate options beneath the method you have set as your default. In the example below, TOTP Authentication is my preferred method.

You can click on any available option in the list, and it will display the selected alternate authentication method.

TOTP authentication
Using a TOTP to authenticate, with alternate methods (per your selection) listed below.

A final note… Web Authentication requires that the following PHP extensions be enabled on your server: mbstring, GMP, and Sodium. These extensions are enabled by default on all sites hosted by WPMU DEV.

If you are hosting elsewhere and any of them are not enabled on your server, you’ll see an alert like the one below. Reach out to your hosting provider to have them enable the extensions for you so that you can use this feature.

Message alert, requirements not met
If you see this message, don’t panic–you’ll just need some PHP extensions enabled.

Click here for WPMU DEV’s full documentation on Defender’s Web Authentication feature.

Additional 2FA Features

A few extra goodies were included in the most recent rollout of Defender. Here’s what else is new:

WooCommerce

Defender now allows users to configure 2FA from WooCommerce’s My Account page.

Simply flip the option on in Defender’s 2FA settings, and enable two-factor authentication for the user role Customer (so the 2FA section appears under the My Account page).

Check Active Users

Defender now allows you to see User 2FA status, or reset it for any reason. To do so:

  • Navigate to WP Dashboard > Defender > 2FA > Active Users.
  • Click on View users; check the Two Factor column to see who has 2FA enabled.
  • Hover over any user, and below their avatar, Reset two factor will display. Click on that, then Save Changes.
2FA users reset two-factor
Defender’s 2FA Active User settings.

You can also skip a step, and navigate directly to WP Dashboard > Users to reset the 2FA.

Custom Graphic from a URL

The Defender icon that appears on your login page can be replaced with a custom graphic of your choosing.

You can now select to link a graphic from a URL, as well as the alternate options of uploading, or having no graphic at all.

The Complete Package

As protective measures go in WordPress, it’s hard to beat Defender.

Defender has powerful security protocols, including malware scanning, antivirus scans, IP blocking, firewall, activity log, security log, and two-factor authentication (2FA), including the two newly added Web Authentication methods–Biometric, and USB Safety Key.

The latest version of Defender also came with an additional, useful enhancement to Defender’s WP-CLI “scan” command. By using this WP-CLI command and option, if any issues are found, Defender will create a table with results.

Previously, you could only see the results of a malware scan from the back-end of the site (at WP Admin > Defender Pro > Malware scanning), but now you’ll be able to see the completed scan results right in the console.

Coming soon for Defender… we’ll expand on our use of WebAuthn, with our devs currently working on the ability to use hardware authentication devices. Plans are also underway to implement ‘password free’ logins in the best way possible, using the WebAuthn protocol.

You can read about upcoming features for any of our tools and services anytime in our product Roadmap.

If 2FA is the question, Defender is the answer. Handling security in your WordPress sites can be as simple—yet complete—as activating Defender.

Do you enable 2FA whenever possible? What are your thoughts on Web Authentication? Let us know in the comments below.

Janette Burhans

Janette Burhans Janette Burhans is a blog writer, WhiP & Roundup contributor, and content creator at WPMU DEV. Her professional career as an author and artist spans over two decades, half of those in the world of WordPress. Her writing has been featured in Glamour magazine, and her personal blog, Platinum Pink. Connect with Janette on Twitter & LinkedIn.