Update: WordPress Email Two-Factor Authentication – No Auto-Login Links

Blog

This is a quick explanatory update on our Shield Security plugin for WordPress.

We’ve been providing email-based two-factor authentication (2FA) for a looong time. And recently we’ve received some feedback about the placing of a direct-login link within the email that is sent out.

How Shield’s Two-Factor Authentication Portal Works

With the portal you’re prompted to enter any or all of your 2FA codes to confirm your login. If you have turned on email-based 2FA, then you’ll get an email with both the code you need, and also a link.

This link will do 1 of 2 things:

  • if you have 2 or more factors that are required, then it’ll pre-populate the portal with your code #neat
  • if email is your only 2nd factor, it’ll log you straight into the site automagically #super-neat

The problem arises with the 2nd option. If a 2-factor email is sent out and intercepted, then the unwelcome visitor wins with a direct link right into your WordPress admin.

The chances of this are slim for 2 reasons:

  • the two-factor portal has a 5 minute window. If you miss it, you have to start your login from scratch.
  • the link can only ever be used once.

But the chance, however slim, remains. So what is the next step?

Decision: Remove The Automatic Login Link

The link is really convenient, but we feel that there is little/no inconvenience in copy-pasting the code into your login portal.

So from Shield v5.12.2 we’ve removed the link from the outgoing two-factor email. You will now have to copy-paste the code into the portal directly.

We apologise if this is a problem for you, but we hope you’ll understand the reason behind it.

Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

×