iThemes Security Two-Factor Settings

Two-Factor Authentication 

 

Two-Factor Authentication greatly increases the strength of a user account by requiring a secondary code in addition to a username and password when logging in. Once Two-Factor Authentication is enabled here, users can visit their profile to enable two-factor for their account. The following settings allow you to enforce the use of two-factor on accounts based on different criteria.

iThemes Security supports multiple two-factor methods: mobile app, email, and backup codes. Selecting "All Methods" is highly recommended so that users can use the method that works the best for them.

Select Available Methods  

Use a two-factor mobile app such as Authy or Google Authenticator (AndroidiOS). The mobile app generates a time-sensitive code that must be supplied when logging in.


 

Time-sensitive codes are supplied via email to the email address associated with the user's account. Note: This WordPress site must support sending emails for this method to work (for example, sending WordPress-generated emails such as password reset and new account emails).


 

Provide a set of one-time use codes that can be used to login in the event the primary two-factor method is lost. Note: these codes are intended to be stored in a secure location.

Require user accounts of specific roles to use two-factor if the account doesn't already do so. The "Privileged Users" setting is highly recommended as this forces users that can change site settings, software, or content to use two-factor.

Disable forced two-factor authentication and on-boarding for certain users. Users can still manually enroll in two-factor through their WordPress admin profile. This setting will override forced two-factor authentication for Vulnerable User Protection and Vulnerable Site Protection for the selected users.

Note: We don’t recommend changing this from the default, as two-factor authentication is important for all users, not just administrators.

Select Roles to Disable
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
 

Require user accounts that are considered vulnerable, such as having a weak password or for recent brute force attacks, to use two-factor if the account doesn't already do so. Enabling this feature is highly recommended.

 

Require all users to use two-factor when logging in if the site is vulnerable, such as running outdated or software known to be vulnerable. Enabling this feature is highly recommended.

 

This simplifies the sign-up flow for users that require two-factor to be enabled for their account.

When you login using Two-factor authenticator you’ll be prompted to enter a secondary Authentication Code from your Phone or Email.


1

Customize the text shown to users at the beginning of the Two-Factor On-Board flow.

Application Passwords are used to allow authentication via non-interactive systems, such as XML-RPC or the REST API, without providing your actual password. They can be easily revoked, and can never be used for traditional logins to your website.

Select Roles for Application Passwords
  •  
  •  
  •  
  •  
  •  
Have more questions? Submit a request
Powered by Zendesk