Google Authenticator for WordPress

The Google Authenticator plugin for WordPress gives you multifactor authentication using the Google Authenticator app for Android/iPhone/Blackberry.

If you’re security aware you may allready have the Google Authenticator app installed, using it for multifactor authentication on your Gmail or Google Apps account.

The multifactor authentication requirement can be enabled on a per user basis, You could enable it for your administrator account, but login as usual with less privileged accounts.

Notice: This plugin requires the SHA1 & SHA256 hashing algorithms to be available in your PHP installation, it’s not possible to activate the plugin without.


Howto

  1. Install and activate the plugin.
  2. Enter a description on the Users -> Profile and Personal options page, in the Google Authenticator section.
  3. Scan the generated QR code with your phone, or enter the secret manually (remember to pick the time based one)
  4. Remember to hit the Update profile button at the bottom of the page before leaving the Personal options page.
  5. That’s it, your WordPress blog is now a little more secure.

Screenshots

Google Authenticator enhanced login box

Google Authenticator Settings

Google Authenticator QR code

Android Google Auhenticator App


389 kommentarer til “Google Authenticator for WordPress

  1. Rick Copeland siger:

    Henrik, From reading earlier posts, I see that the plugin can be turned on or off for each user, so I have turned it off for my client’s user account. I presume that if she wants to use it, she can activate it herself and get the app on her own phone.

    Thanks!
    Rick

  2. habi siger:

    If I activate this plugin, then I cannot use http://illuminex.com/ecto/ anymore. The posts cannot be retrieved: http://cl.ly/P7pm
    If I deactivate the plugin, everything works fine. Is there a work-around to make XML-RPC work?

  3. Tom Collis siger:

    Hi, I am using WordPress 3.5.1 and had a few problems with line 171, 176, 177, 179, 182, 192, 193, 197 of the code as a function has been depreciated. I have resolved these and I’m happy to provide the files, just email me.

    Great Plugin by the way.

    • Henrik Schack siger:

      Hi Tom
      I’m confused, some of the linenumbers you mention map to comments, perhaps you could explain in detail on email ? henrik at schack dot dk

      Best regards
      Henrik Schack

  4. Queena siger:

    Hi Henrik,

    I had installed the google authenticator app on my android and I had changed the name for one of my accounts on my android. And since I have done this I have not been able to log onto that account. Do you know how I can fix this?

    • Henrik Schack siger:

      Hi Queena
      Not sure it’s related to my plugin, but you could try to remove it.
      SSH or FTP into your server and delete the wp-content/plugins/googe-authenticator directory

      Best regards
      Henrik Schack

  5. noktec siger:

    Hi,

    I tried it today, and it actually doesn’t seem to work if the description contains two words.

    Regards.

  6. Rochelle siger:

    Hello! I installed the app and it works just fine on my PC, but all my iOS apps no longer work. I tried typing in the App Password given but it’s not working. Do you have any troubleshooting tips for this error? Thanks!

    • Henrik Schack siger:

      Hi Rochelle
      Sorry about the slow reply, has been away from keyboard for a couple of days.

      Did you remember to activate the app password login ?

      Best regards
      Henrik Schack

  7. Donald Burr siger:

    Hi, I have been having a problem for a while where I keep getting logged out of my admin panel, and I believe I have traced the problem down to your Google Authenticator plugin. Once I have disabled that plugin, I no longer get logged out of my admin panel. Have tried everything, different browsers, clearing cache/cookies, etc. Am wondering if you have seen this behavior before and if you have any idea of how it can be fixed. Thanks!

    • Henrik Schack siger:

      Hi Donald
      I’m pretty sure it’s not my plugin that is causing your problems, my plugin isn’t capable of logging you out, it can log you in, but not the other way around.

      Best regards
      Henrik Schack

      • Bernd Meitzner siger:

        Donald Burr :Hi, I have been having a problem for a while where I keep getting logged out of my admin panel, and I believe I have traced the problem down to your Google Authenticator plugin. Once I have disabled that plugin, I no longer get logged out of my admin panel. Have tried everything, different browsers, clearing cache/cookies, etc. Am wondering if you have seen this behavior before and if you have any idea of how it can be fixed. Thanks!

        Same problem here. I update to WordPress 3.5.2 for some days.
        Can it be, that’s the problem?

  8. Persiano siger:

    Is is possible to activate this for all of my users from start of registration? Or they can decide from registeration from if they want to use the google authenticator or not?

    Thanks and good job!

  9. Gardner siger:

    I just updated to WP3.6 and your plugin works great! Thanks for making things more secure!

    -g

  10. Leslie Wong siger:

    Thanks for your plug-in.

    I am running a self-hosted WP 3.6 blog. Using the Anrdoid and iOS WordPress apps, I am unable to login. I have enabled app password and tried entering the password with all caps with spaces, lower case with no spaces – it doesn’t work.

    I saw on android.wordpress.org/faq that as of WordPress 3.5, you no longer need to enable XML-RPC access.

    Do you have any other suggestions?

    Thanks

  11. Emir Ribic siger:

    Hey there,

    Just installed your plugin in and activated it as explained before. Now, I can’t login. I use the correct key 100% (tried 4-5 times), but I get the following error:

    ERROR: The Google Authenticator code is incorrect or has expired.

    Could you please provide some help? Regards

    • Henrik Schack siger:

      Hi Emir
      The problem is most likely caused by timedrift on the server or your phone.
      Try to get the serveradmin to install a ntp daemon on the server, and check the time on your phone

      Best regards
      Henrik Schack

      • Simon K B siger:

        HI, the error The Google Authenticator code is incorrect or has expired. is displayed on one of my account. I’ve 2 accounts (1 as admin & 1 as author) I get this error when I log in as author. If timedrift is causing this error which I’d agree, then loggging as admin user works fine, is it due tothe fact that its a admin account & timedrift doesn’t come into picture?
        Thanks. Very nice plugin though. I like it. great work.

  12. John Patrick siger:

    When I scan the barcode on the user profile page, I get an “Invalid Barcode” message. This barcode is not a valid authentication token barcode”. Try again. I have tried multiple times but get the same result.

  13. Chris siger:

    This plugin causes, that you cannot use any more the WordPress android app for blogging.
    There is then an error “wrong login data”, even if they are really right.

    When I deactivate the Google Authenticator plugin, then the WordPress android app logs me in.

    Any help for this?
    I don’t want to miss the Google Authenticator plugin at my sits using a normal desktop computer, BUT I also want to blog from my WordPress android app when I’m not at home.

  14. CSharpner siger:

    I successfully installed and configured this on my WP blog, then some time later my phone crapped out on me and now I can’t log into wp-admin on my blog (haven’t been able to for 9 months now).

    I DO have FTP access to my server though. How can I disable this having access only via FTP?

    • Henrik Schack siger:

      Hi CSharpner

      FTP to your account and delete the wp-content/plugins/google-authenticator folder, and you’re good to go.

      Best regards
      Henrik Schack

      • CSharpner siger:

        THANKS!!!!!!!!!!!!!! THANKS!!!!!!!!!!!!!! THANKS!!!!!!!!!!!!!! THANKS!!!!!!!!!!!!!! THANKS!!!!!!!!!!!!!! THANKS!!!!!!!!!!!!!! THANKS!!!!!!!!!!!!!! THANKS!!!!!!!!!!!!!! THANKS!!!!!!!!!!!!!! THANKS!!!!!!!!!!!!!! THANKS!!!!!!!!!!!!!! THANKS!!!!!!!!!!!!!! THANKS!!!!!!!!!!!!!! THANKS!!!!!!!!!!!!!! THANKS!!!!!!!!!!!!!! THANKS!!!!!!!!!!!!!! THANKS!!!!!!!!!!!!!! THANKS!!!!!!!!!!!!!! THANKS!!!!!!!!!!!!!! THANKS!!!!!!!!!!!!!! THANKS!!!!!!!!!!!!!! THANKS!!!!!!!!!!!!!! THANKS!!!!!!!!!!!!!! THANKS!!!!!!!!!!!!!!

  15. Maurice Green siger:

    Henrik,
    This is an awesome plugin but I have some problems with it.
    I installed Google Auhenticator, but it would not activate when I checked the box. When I clicked on the Update Profile button it reset the Authenticator settings to default and cleared the ‘Activate’ box. Then I read that Theme My Login can interfere. Deactivated TML and the activate worked fine.Reactivated TML and was able to log in fine. BUT…
    If, as admin, I tried to activate Authenticator for another user, the only choices I had were “Hide the Authenticator settings” and “Activate Authenticator”. IF I activated it, the login would not recognize MY Authenticator code. I assume that this is because the Authenticator settings for the new user are the default “WordPressBlog”.
    If I logged in as a user and went to the profile, all the Authenticator settings were there but I could not activate the Authenticator because TML was active and a REGULAR USER can not deactivate it. This is a real ‘catch-22’.
    And just to rub salt in the wound, the log-in screen shows the box for Google Authenticator Code whether it is active for the user or not which is very confusing to a user who doesn’t know what the Google Authenticator is.
    I really only want to use it for the Admin account and not have it show up for other users.
    Where do I go from here???

    Maury

    • Henrik Schack siger:

      Hi Maury
      Your users have to activate the plugin on their own.

      Those two options, you as an admin user can see on a normal users profile, are used for:

      Hiding the settings : Prevent the user from activating the plugin. Not all users are “suited” for a more complicated login, these users are probably the ones you would never ever give admin rights 🙂

      Activate/Deactivate: Help a user with a lost phone, when you remove the checkmark. the user will be able to login without entering a 2. factor code.

      Best regards
      Henrik Schack

  16. Maurice Green siger:

    Henrik,

    I realized the purpose of the administrative control over other users use of the Google Authenticator. So apparently your plugin is really incompatible with the security feature in the Theme My Login plugin. As long as the TML plugin is active, NO user will be able to activate the Google Authenticator and since they don’t have the permission to deactivate TML they can’t use GA.
    There still remains the question of whether there is any possibility to remove the entry on the login screen for those users who are NOT using GA or whether, for example, the GA screen could appear separately AFTER login for those users who are using it?

    Maury

    • Henrik Schack siger:

      Yes it would be possible to remove the GA code entry field and let it appear in case the user has the plugin activated. Next thing happening would probably be users complaining it’s way way to easy to figure out the “weak” accounts and hacking away on those users passwords.

      Did you consider simply informing your users about the plugin and the code entry field that can be ignored in case the users hasn’t activated the plugin ?

      Best regards
      Henrik Schack

  17. Is there a way to set up the authenticator so that I only have to use the authentication number when I am using a new computer?

  18. Gerard @ CAP5 siger:

    Dear henrik,

    I have 3 websites for my company (sandbox, accept, production) on which I would like to use the same secret. Is it easy to set up using one secret for 3 websites? Or would this involve database hacking?

    Thanx a lot for your response.

    Kind regards,

    Gerard.

  19. Rob siger:

    Thanks for this great plug-in. If I may suggest one small change in the next release – please include a note beside the “Description” text box that says spaces cannot be used. This is really minor and it only took a few seconds of wondering why the QR code was being reported back as invalid. Once I removed the spaces from the description, it worked flawlessly.

    Cheers

  20. Ulf siger:

    Hey there,

    it seems that your great plugin has stopped working in WP 3.6.1. Can’t log in anymore with the codes shown. Server and mobile phone time are exactly in sync. Re-installed the plugin, but nothing helps. Any suggestions?

    Cheers
    Ulf

    • Henrik Schack siger:

      Hi Ulf
      No, it’s working fine, i just logged in using it like 30 seconds ago.
      It sounds like you perhaps could have a time drift problem on your phone or server hosting your blog.
      Did you check that ?
      Best regards
      Henrik Schack

      • Ulf siger:

        Hi Henrik,

        thanks for reply. The time on the server (checked via ssh) is within 1 second exactly the same as on my mobile phone. I created a new secret, tried it with the QR-code and manual. Nothing helps. Any further suggestions?!

        Cheers
        Ulf

        • Ulf siger:

          Hi Henrik,

          i solved it now. Restarted my mobile phone. Now it works. Sorry for bothering you.

          Cheers
          Ulf

  21. Jorge Herran siger:

    Hello Henrick, I think that your plugin is fantastic, I would like to implement it on a wordpress microtasks site that I am setting up, for me (admin) and depending on its SMS compatibility, for the users. The question is if it works with SMS (I have my gmail account configured in that way), I read in a third party site that it does work with SMS, and if once is installed and set into active mode how could I make it work?.

    I noticed that when I am on the login page there is a field that says Google Authenticator code.

    I was googling regarding how to install SHA1 and SHA256 hashing algorithms for wordpress, but I could not find clear info.

    Thanks once again.

    Kind regards from Peru

    Jorge

  22. Jorge Herran siger:

    Hello Henrick, I have a problem: I do not own a Smartphone (I was looking for checking your plugin and depending on its functionality to buy one just for increase the security of the site). I activated the plugin suing my admin account and saved, I logged out and now I can not log in. I would like your advice on how to solve this. As I am still setting up the site and I make backups before installing anything new, is faster for me to ask for a restoration.

    Kind regards

    Jorge

    • Henrik Schack siger:

      Hi Jorge
      FTP/SSH to your webhost and delete the wp-content/plugins/google-authenticator directory

      Best regards
      Henrik Schack

      • Jorge Herran siger:

        Hello Henrick, the way to use Firefox for authentication will work for me, thanks for your wonderfull plug-in, I will install it.

        Once again, thanks for your wonderfull plug-in

        Kind regards from Peru

        Jorge

  23. sasapurin siger:

    Hello, Henrik.

    I am Japanese.
    User of WordPress 3.6.1.
    Your program is beneficial for me.

    However, you may be inconvenient Multi byte language, your program.
    When I enter the Google Authenticator code, you would forget to turn off the Japanese Input method.

    I would like to add as shown below your code.
    (ime-mode)

    Place:function loginform()
    echo “\t\t\n”;

    consider.

    Best regards
    sasapurin

  24. Jorge Herran siger:

    Hello Henrick, I have 3 microtasks marketplaces sites under development, I was planning to install your plug-in two weeks before launching them, however, due that today I installed the login ninja plugin, I noticed that even if my sites were not jet launched, one of them was being under a brute-force attack (the Ninja plugin sends me a notification each time someone tries to login unsuccessfully 5 times on a row as admin), so, I successfully installed the Gauth authenticator for PC and your app. It works like magic, however, I have a couple of questions:

    – I deactivated the wordpress bar from the users end using a plugin, and as I am testing the site as an user as well I see the field and message of GOOGLE AUTHENTICATOR CODE, I know that it does not work if the user does not activate it (and in my case, there is no WordPress bar on the users end), considering it, does it needs to be activated by the admin?

    – If I would like to change the message GOOGLE AUTHENTICATOR CODE, how should I proceed (which file(s) should I edit?)

    – If I tell the users of my site that GOOGLE AUTHENTICATOR CODE is available under request (let’s say, sending an email message), how should I proceed?, also: Does it compromises my site’s security in any way (if my users have the authenticator activated?

    – A final question: Do you have a similar module /plugin for joomla? (if you do, I would like to install it on my joomla sites)

    Thanks for your time, thanks once again for your plugin and Gauth and have a nice halloween.

    Kind regards

    Jorge

    • Maurice Green siger:

      Jorge,

      Since I couldn’t control whether or not the Google Authenticator field appeared on the login screen, I simply reworded the line above the box to read “Authentication Code (Admins only)” so it wouldn’t confuse the regular user.
      In the google-authenticator.php file, I modified the verification code field as follows:

      /**
      * Add verification code field to login form.
      */
      function loginform() {
      echo "\t\n";
      echo "\t\t".__('Authentication code (Admins only)','google-authenticator')."\n";
      echo "\t\t\n";
      echo "\t\n";
      }

      Hope this helps.

      Maury

      • Jorge Herran siger:

        Hello Maury, thanks for your support. Could you please let me know in which line should I enter your coding?

        Kind regards from Peru

        Jorge

        • Maurice Green siger:

          Jorge,

          It’s in google-authenticator.php. If you cut and paste the entire snippet it’s lines 138-146.

          Otherwise you can just change the text in the echo statement at line 143 in function loginform ()

          Maury

  25. Andrew Kurtis siger:

    Hello Henrik ,

    My name is Andrew, I am with WebHostingHub Support. We have found at http://henrik.schack.dk/google-authenticator-for-wordpress/ your Google Authenticator plugin very interesting and we would like to translate it to Spanish language to help people from Hispanic community. Do I have your permission to do that?

    I hope I’ll hear from you soon.

    Kind regards

    Andrew Kurtis
    WebHostingHub Support

  26. dariusz siger:

    hi,

    google auth plugin is awesome till wp 3.7.1 working like charm, but with latest wp you can just leave
    empty auth code field and you login to wp admin with login and password only. could you fix this asap please ?

    regards
    darek

  27. Tomislav siger:

    Hello,

    What about some backup vertification codes if our mobile phones goes lost or wents stolen?

    Thanks.

    • Henrik Schack siger:

      Hi Tomislav
      Backup codes would make sense when dealing with some hard to reach company like Google or Dropbox.
      With a selfhosted blog you simply SSH or FTP to your account and delete the plugin.

      Best regards
      Henrik Schack

  28. polYc siger:

    Hello

    I have done a translation for french if you want add it in your plugin contact me back 🙂

    Thanks for your plugin.

  29. Nick siger:

    Hi Henrik

    Thanks for writing this software, it’s very useful. I have it running on two domains and its running fine on the first. On the second domain, I have about 20,000 users and when I turn on the authenticator, it seems to turn it on for all 20k users. I only want it on for the admin account. How can I do that?

    thanks
    Nick

  30. Hugo Gameiro siger:

    I wonder why the WordPress iOS App manages to runs without asking for the Google Authenticator Code

  31. zorinho siger:

    Hi,

    I’ve traduced your plugin in spanish using Poedit, if you want I can send you my translation.

    I would also like how I can disable your plugin for certain categories of registered users.

    Best

    • Henrik Schack siger:

      Hi Zorinho
      I would love a spanish translation 🙂 Can you email it to henrik at schack dot dk ?

      Regarding your question:
      This plugin isn’t enabled until the user chooses to enable it.
      If you want to, you can hide the settings from the user by editing the actual user profile.

      Best regards
      Henrik Schack

  32. Robert siger:

    Thanks a lot for your great plugin – I am using it on multiple sites.
    I just wonder if you could tell more about the new feature, which prevents man-in-the-middle-attacks?
    thx,
    Robert

    • Henrik Schack siger:

      Hi Robert
      I’ll give it a try 🙂
      A login with Google Authenticator happens in a 30 second timeslot, and on successful login I store the actual timeslotnumber in which the login happened.

      The code contains some simple logic saying: Current login has to happen in a timeslot greater than the timeslot in which the last login happened.
      This invalidates your code in the moment your login is successful.
      Older codes are invalid as well since they match a timeslot back in time.

      Did that make sense ?

      Best regards
      Henrik Schack

      • Robert siger:

        I guess that makes sense.

        Another idea/feature request: I am using your plugin on a site where I am the only admin user and there are lots of users with lower user roles. Your plugin adds the Google authenticator form field on the login page for all users, which confuses some of my users which are not so technically profound, resulting in support requests: “what is my Google code?” although they didnt activate login via google authenticator.
        It would be great if you could add a setting which allows to set the user role for which the additional form field is shown on the login screen.
        I know this might be bad if also users with a user role lower than admin have google authenticator activated in their profile – so either a checkbox where you can select multiple user roles would be needed or a better solution could be to leave the login form as it is and redirect the user to a new extra page which asks the user to enter the code after he has successfully entered his userid/password.
        what do you think about this?
        best,
        Robert

        • Henrik Schack siger:

          Hi Robert
          I have given this a lot of thought.

          Never underestimate the power of communication. If I was about to install my plugin on a blog with a large userbase the first thing I would do was to inform the users with an email.
          You know something like.
          Hi Users
          I’m about to increase the security on our blog with a new plugin, as a result you will see an additional inputfield on the login-page, please ignore this.
          If you want increased security on your own account you can enable the feature on your user profile page.


          This would remove much of the confusion, and the rest can be answered with a simply “read your email, please”.

          Breaking the loginflow into 2 parts does require “hacking” the way things work in WordPress, I do not want to do that in order not to cause problems with future WordPress versions.

          I am thinking about “hiding” the code inputfield. Things would then work something like this :
          Login page only displays username/password fields, as soon as you leave the username field an AJAX call is performed in order to figure out if the code inputfield should be un-hidden/enabled.

          Best regards
          Henrik Schack

        • Robert siger:

          I would rather like to avoid informing my users via email as I would like to keep the number of emails I send them low. I also have a special setup where I use the WordPress authentication for my glotpress translation instance, so this makes it less important for my users too.

          Hacking the way WordPress handles login would be a a bad idea, I agree totally with you here. The AJAX solution you mentioned would be a great approach in my opinion.
          best,
          Robert

        • Maurice Green siger:

          Robert,

          I use a very simple ‘social engineering’ approach. i modified the template to read “Authentication code (Admin only)” and then hid the settings for all of the users. I suggested to Henrik that ‘hide the settings’ should be the default.

          Maury

  33. nickfox siger:

    I keep getting an email notification every time someone posts a message. Can you please turn that feature off.

    Nick

  34. Kc siger:

    Hey, is it possible to remove the “WordPress” from showing up in the google authenticator app on my phone?
    I wish that feature was never put in there as it doesn’t brand my website, but wordpress instead.

    This feature was just implemented in 0.47
    “QR codes now contain a heading saying WordPress (Feature request by Flemming Mahler)”

    • Henrik Schack siger:

      Hi KC
      You are supposed to put your website branding in the Description field.
      I just implemented it like Google, Dropbox and others did.
      Anyway I think I’ll make it configurable in one of the next versions, I just have a few other things on the ToDo list that has to be completed first.

      Best regards
      Henrik Schack

  35. Zorinho siger:

    Hi KC,

    it seems there’s a problem today when I try to log in :

    “Service Temporarily Unavailable
    The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.”

    When I deleted google authenticator by ftp access, all was well.

  36. Zorinho siger:

    Sorry, I meant Hi Henrik 🙂

  37. Robert siger:

    please remove my email from notifications (a plugin like http://wordpress.org/plugins/subscribe-to-double-opt-in-comments/ allows users to do that for users by themself FYI)

  38. Zorinho siger:

    Hi Henrik,

    sorry to insist, but the problem persists.

    I have to delete the plugin via ftp access so I could log !

    Once the plugin is deleted, all problems stops instantly, so the problem comes from the plugin.

    The biggest problem is all people registred with a profile with OR without google authenticator activated have the same problem to log.

    The site where I work will have several hundreds or thousands of registered so it’s a real big problem.

    Could you please give me the link or send me the 0.46 version so I can make test ?

  39. Aryan siger:

    Just installed this plugin in my site for extra protection of admin account.

    But this plugin locked me out of WordPress, I tried many many times, but it says: ERROR: The Google Authenticator code is incorrect or has expired.

    For now I have removed it from FTP.

    please suggest me how to fix this issue, i really need this.

    Thanks.

  40. Henrik Schack siger:

    Hi Aryan
    Normally this sort of issue is caused by drifting time on your server or phone. Do you have a NTP daemon running on the server ?
    It could also be a conflict with some other security related plugin.
    Feel free to email me a list of the plugins you have enabled : henrik at schack dot dk

    Best regards
    Henrik Schack

  41. Maurice Green siger:

    Henrik,

    I am recruiting new users to my site and some find the Google Authenticator entry confusing. I have now relabeled it “Administrator Use Only”. And then they get confused when they see the settings on their profile page.
    I asked once before. Is there any way to make “Hide settings from user” on the user profile the default setting? Then I could turn it on only for those who need it.

    Maury

  42. Mike siger:

    IS there a way assign the secret?
    I see create new. But I can’t change it to what I want to.

    I think the plug in works great!

    What I want to do is to use this plug-ins on all of the wordpress pages that I manage (over 100 ) but I don’t want over 100 choices on my smartphone.

    So what I am looking for is to use one secret code on all of my wordpress login

    Mike

    • Henrik Schack siger:

      Hi Mike
      There is no way to enter the secret manually.
      I did things this way in order to prevent users from entering bad/easy to guess values, as I have no doubt
      who will get blamed in case the protection is “broken” by some hacker guessing one of these easy to guess values.

      I fully understand your issue, a workaround would be to manually copy the googleauthenticator_secret value for the userid in question from the wp_usermeta table to all the other installation.

      Impressive amount of blogs you manage by the way 🙂

      Best regards
      Henrik Schack

  43. Can I generate backup codes like WordPress.com?

    • Henrik Schack siger:

      Hi Tareq
      You don’t need backupcodes, in case you lock yourself out, you simply FTP or SSH to your installation and delete the Google-authenticator folder.
      I’ve replaced the normal Google Authenticator app from Google with Authenticator Plus it allows for several ways of backing up of all your codes/secrets

  44. Elaine Chua siger:

    Dear Hendrik,

    This is an amazing plugin and installing it on our multisite is easy and good.

    Would it be possible that the plugin “force” specific groups of users to use 2FA? For example, the administrators of the blog to use 2FA.

    • Henrik Schack siger:

      How about telling your admin users to enable 2FA, remember to explain why it’s a good idea.
      Give it a week
      Then revoke admin privileges for all admins that haven’t enabled 2FA
      Best regards
      Henrik Schack

      • Elaine Chua siger:

        Dear Hendrik,

        As mentioned, I’m running it on a multisite (>50 sites on a wordpress installation). Is there any ways for me to trace if users have it enabled?

        Or do I have to go into each and every one of their profiles to enable it? If I enable it and they have yet to set up their google authenticator app, will they be logged out of the site?

        Kindly advise.

        Thank you!

        • Henrik Schack siger:

          Hi
          You can’t enable it for other users only the user himself should know the secret used for code generation, but you can disable the feature in case they loose a phone or otherwise loose access to the codes.

          If you can’t trust your users to enable 2FA when you ask them to do so, I would say they shouldn’t have been admins in the first place 🙂

          Best regards
          Henrik Schack

  45. Elaine Chua siger:

    Dear Hendrik,

    The multisite installation that I’m dealing with is an installation which we use to support Teaching & Learning with blogs. Teachers aren’t the most “obedient” users of technology, and to them 2FA is an additional step.

    Haha, but let me try to get them on board first. They will have to understand that, in light of all the recent hackings, 2FA is the way to go.

    Thank you very much!

    • Henrik Schack siger:

      Cool, in my opinion enlightening users is a much better way to go than forcing them to do stuff they don’t really understand 🙂

      • Elaine Chua siger:

        Thank you very much!

      • Maurice Green siger:

        Yes, persuasion is better than coercion. And Stanford University has now made 2FA mandatory for all users. But for most websites, while it makes good sense to use 2FA for admins who have rights to the dashboard and other sensitive areas of the site, it usually does NOT make sense for ordinary users unless the site contains sensitive information. This is why i have repeatedly asked if it is possible to modify this very useful plug-in so that the DEFAULT setting for the user profile is that 2FA is DISABLED. Then the site admin would only have to enable it for a select number of admins, moderators, etc. and the ordinary user would not be confused by it. Surely the PHP modification can’t be that difficult to do.

        maury

        • Henrik Schack siger:

          Hi Maurice

          1) Stanford University is (quoting your website) one of the world’s leading teaching and research universities. I’m having a really hard time believing anyone at such a place should actually get CONFUSED 🙂
          At least not after a 5 min. introduction to web security.

          2) Every account can be abused, you don’t need to be an admin for that. All it takes is access, then someone could introduce a drive by attack by replacing an image with a malicious one.
          http://en.wikipedia.org/wiki/Drive-by_download

        • Maurice Green siger:

          Henrik,
          Sorry if I wasn’t clear. Obviously there is little if any problem with 2FA at Stanford and it is done because users may be accessing sensitive information like patient records in the medical school.
          I was referring to ordinary websites like my homeowner’s association (which is a combined public and members only site). This is why i changed the wording on the GA template to indicate that the input field in the login box was only for administrators. And any impediment to access for the ordinary user rapidly diminishes traffic on the site.

          Maury

        • Elaine Chua siger:

          Dear Hendrik,

          Actually I have to agree that this plugin should be on the “disabled” state by default.

          It was horrifying to say the least, when I noticed that the plugin was enabled for my colleague who couldn’t login since he has not configured the GA for his account.

          If he could not even login after the plugin is enabled, how is he going to even set up GA? And for the multisite that I’m running on, as it is a platform for BOTH teachers and students –> elementary school students WILL NOT have a phone with them.

          And there is no way to generate GA codes without a phone app. The chrome plugin has been pulled off from chrome store.

          Anyway, this is only for your consideration.

          Thank you.

        • Henrik Schack siger:

          My plugin doesn’t prevent anyone from logging in, not until the user in question enables it on his/her profile

        • Elaine Chua siger:

          Dear Hendrik,

          Then something must be wrong for me.

          When I log out and tries to use another account (which did not check “active” for GA), the login page by default shows the GA code field and the user cannot login without entering a GA code.

          I had to login with my account (with GA), disable the plugin.

          Kindly advise.

        • Henrik Schack siger:

          Here is how it works :
          Once the plugin is installed, the additional input field is always shown.
          However, as long as the the user haven’t activated the plugin in his user profile the field is to ignore

        • Elaine Chua siger:

          Dear Hendrik,

          Thank you very much for the clarification!

          Is there any ways we can don’t show the field unless it is “active” by users’ preferences?

          Thank you.

  46. Jorge Herran siger:

    Dear Hendrik,

    First of all, I love your plug-in, it makes us all (administrators) much more secure.

    I am building some micro-services sites using wordpress, I suppressed the wordpress bar for esthetical reasons, and I use the two factor authentication for administrative purposes only, however, I would like to give the clients a way to configure it for themselves. Is there any way to do it so without using the wordpress bar?

    Kind regards from Peru

    Jorge

  47. Jorge Herran siger:

    Thanks for the fast response Henrik!

    I will try it with some tests.

    Kind regards

    Jorge

  48. The plugin works fine on the web. However, I want to be able to use the WordPress iPad app. I have tried multiple times using app-specific passwords but cannot get logged in to my site with the iPad.

  49. zorinho siger:

    Hi Henrik,

    How could I add specific CSS in google-authenticator.php for users ?

    Thanks,

    • Henrik Schack siger:

      You would have to edit the files
      Best regards
      Henrik Schack

      • zorinho siger:

        LOL 🙂

        Of course, but the questions was more HOW I can do it, I’ve no idea about adding CSS line in php !

        I would like to add CSS to disable GA for non admin users and I think it’s the easiest way to do it, I’ve a specific CSS file for users administration.

        Thanks,

        • Henrik Schack siger:

          If it’s the settings on the user profile page, there is actually an option for that when you as an admin edit another users profile.

          Best regards
          Henrik Schack

        • zorinho siger:

          Yes, I see it but I’ve to enter in each profile to disable it furthermore, users tend to start by activating GA without knowing what it is and of course they can’t no longer enter in their administration so I receive messages asking me to fix it.

          That’s why I’m looking a way which allowi me to deactivate GA for everyone from the start, it is much less problematic for the future.

        • Henrik Schack siger:

          I guess you need some css person for that

  50. zorinho siger:

    Hi Henrick,

    How could I add specific CSS for users interface ?

    Thanks,

Skriv et svar

Din e-mailadresse vil ikke blive publiceret. Krævede felter er markeret med *