Email-based 2-Factor Authentication: Step-by-step settings

2-factor authentication (2FA) is one of the best ways to secure account access - for any platform, WordPress included. It presents an extra obstacle, another layer of complexity to unauthorised account access.

Before you start using Shield's email-based 2FA, it is very important to know the difference between the User Email Address and your WordPress Site Email Address:

  • 2FA: User Email Address - Every user name is connected with the specific email address. When you try to login with one username, verification email will always be sent to the email address connected with that user name. 
  • 2FA: WordPress Site Email Address - Is your site email address. By default, Shield uses that email address for reports sending. If you want be sure what your site email address is, go to your WordPress Dashboard and see Settings > General Settings.

    If you want to see email address Shield uses for reports sending, go to Shield plugin > Config > General > Reporting section > Report Email option. In case you want to change email address, enter the one you want into the Report Email field.

    Read more about this here.

Also, you might experience email deliverability issue. This is a major problem for site admins.

Shield calls the standard WordPress function for sending email. It does nothing more. The reliable sending of email on a WordPress site is the responsibility of the site. If a site isn't configured to properly send emails, it can work for a while, it can work for some emails and not others, and it can stop working at any time.

It's highly recommended to assess your email deliverability on your WordPress site by using a dedicated and properly configured email system such as the one we personally use - Postmark.

How to set-up Shield's email-based 2FA

To set-up Shield's email-based 2-factor authentication (2FA) properly, please follow these steps:

  1. Go to the main Config menu > Login Protection > 2FA: Email section.

  2. Enable "Enable Email Authentication" option.

    You'll see a message that the ability of your site to send email hasn't been verified. Also, you'll probably see a notice about this inside the Shield's admin area. (see the screenshot below)

  3. Before completing activation of email-based 2FA, Shield will send you an email to confirm that your site can send emails. The email subject will be "Email Sending Verification". 

    The notice mentioned above will show you where exactly this email has been sent. In case you need to resend it, you may use "Resend verification email" link.

Important: Pay attention to the email address Shield points out in this notice. The email address is your WordPress site email, not your user email. The email address of your WordPress site is the right place to look for verification email. If you can't find it in your inbox, check the spam folder.

Note: In case you didn't verify that you site can send emails and you need to resend email with verification link, you can also disable 2FA by email option > save settings. Then, enable an option again > save settings. This will trigger another verification email.

  1. Open the link provided within verification email to confirm that your site can send emails.

Note: The link will require that you're logged into the site and if you're opening it in a different browser, then this might not work.

Please try opening the link in the same browser/window as you're logged into your site. Otherwise, you may get a warning:
The link you followed has expired.
  1. Email-based 2FA is now set.

  1. Go back to your email-based 2FA settings and list user roles you want to be a subject to email authentication (under the Enforce - Email Authentication setting).

Email-2FA will apply to the selected (listed) user roles only. Otherwise, this will not work for them.

Each time those user roles try to log into your site, Shield will ask them to verify their login with the 2FA login code provided in their email.

Note: The 2FA Authentication Code will be sent to the email address of the user. If it's not in the inbox, it might be in the spam folder.

You can also allow any user to turn-on email-based 2FA for their own user account (optional). Or, provide Auto-Login Links for simple Email 2FA.

Email-based 2-Factor Authentication seem to be complicated to set-up but once you go through the whole settings process (steps listed above), you'll see how actually easy it is. It'll worth of your time because Shield's 2FA will keep you and your users safe and protected.