Two-Factor Authentication (2FA) is a wonderful thing as it does a great job of protecting our accounts.
But it has its weaknesses. You’ll know this if you’ve ever lost your phone with your Google Authenticator codes. It can be a painful journey to recover our accounts in these instances.
What if there was a way we could make this recovery process a little less painful?
Login Backup Recovery Codes with Shield Security v6.10
Starting with Shield Security v6.10, we’re introducing backup recovery codes.
These backup codes are 1-time-only passwords that grant 2FA access to your account if, for whatever reason, your other factors aren’t unavailable.
Many service providers that offer Google Authenticator (GA) offer backup codes. They know that losing your GA device can be trouble, as they’ll need to verify your identity and reset your account.
There’s no good reason why your WordPress accounts can’t have them either.
Why Do Login Recovery Codes Matter?
There are a number of reasons why allowing recovery codes, for you and your users, is important.
- A better user experience. When a user drops their phone in the bath, they lose their ability to generate GA codes. They’re now locked out of their accounts and they can’t do anything of their own volition to fix the problem (except contact an admin).
With recovery codes, they can get back in to make changes to their account (i.e. disable their GA and recreate it) without contacting anyone else for help.
- A better admin experience. The less a user must come to you for support, the better your life (and theirs) will be. If a user can solve their own problems without your help, they’re happier, and so are you.
- A better security experience. With added security comes added complexity for everyone. It also presents some anxiety, as we need to be prepared for when it breaks and locks us out. With recovery codes, if you’re having email deliverability issues, recovery codes will help everyone work around the problem, smoothing out any bumps in the road.
Important Characteristics of Shield Recovery Codes
Please bear in-mind the following important characteristics when using recovery codes:
- Single-use only. When you use a recovery code, it cannot every be re-used.
- One at a time. There is only 1 recovery code available at a time, per account. If you generate a new code, it replaces the existing code.
- Manual code (re)generation. You must manually generate your codes from your WP user profile page. If you use the code, you must manually recreate another.
- It overrides multi-factor authentication. If you’ve configured your system to require all factors (i.e. multi-factor authentication) while logging-in, a backup code will still work. I.e. providing a recovery code will always work to complete your login, regardless of how many factors are missing.
- Backup codes are entirely optional. There is a site-level option to turn on/off backup codes, and individual users can generate and delete their backup codes, as they desire.
A recovery code clearly doesn’t replace your account username and password, but you should store this code in a safe place. If your password is compromised, and you haven’t securely stored your backup code, you’re putting your account at risk.
How To Setup Backup Recovery Codes Using Shield
The 1st step is to allow users on the site to use the recovery codes feature:
Once enabled, any user on the site will have a new option in their profile to generate a backup code.
Please note: if the option to generate codes does not appear on their profile, this means that there is no 2FA factor active on their account. This is a recovery system, and not designed to be a standard 2FA option for everyday use.
How To Get Access To The Recovery Codes Feature
This feature is available with Shield Security v6.10, and is a pro-only feature.
If you wish to make use of this pro feature, and all the other pro-features, you can upgrade today for the equivalent of just $1/month.
Any questions or comments, please leave them below. Thank you!