Email-based 2-Factor Authentication: Step-by-step settings
2-factor authentication (2FA) is one of the best ways to secure account access - for any platform, WordPress included. It presents an extra obstacle, another layer of complexity to unauthorised account access.
Before you start using Shield's email-based 2FA, it is very important to know the difference between the User Email Address and your WordPress Site Email Address:
- 2FA: User Email Address - Every user name is connected with the specific email address. When you try to login with one username, verification email will always be sent to the email address connected with that user name.
- 2FA: WordPress Site Email Address - Is your site email address. By default, Shield uses that email address for reports sending. If you want be sure what your site email address is, go to your WordPress Dashboard and see Settings > General Settings. If you want to see (or to change) email address Shield uses for reports sending, go to Shield plugin > Config > Plugin Defaults > Report Email and enter an email address you want.
Also, you might experience email deliverability issue. This is a major problem for site admins.
Shield calls the standard WordPress function for sending email. It does nothing more. The reliable sending of email on a WordPress site is the responsibility of the site. If a site isn't configured to properly send emails, it can work for a while, it can work for some emails and not others, and it can stop working at any time.
It's highly recommended to assess your email deliverability on your WordPress site by using a dedicated and properly configured email system such as the one we personally use - Postmark.
How to set-up Shield's email-based 2FA
To set-up Shield's email-based 2-factor authentication (2FA) properly, please follow these steps:
- Open the Shield's Login Guard module and go to the 2FA By Email section.
- Enable "Enable Email Authentication" option.
After enabling this options, you'll see a message that the ability of your site to send email hasn't been verified. Also, you'll probably see a notice about this inside the Shield's admin area.
- Before completing activation of email-based 2FA, Shield will send you an email to confirm that your site can send emails. The email subject will be "Email Sending Verification".
The notice mentioned above will show you where exactly this email has been sent. In case you need to resend it, you may use "Resend email verification" link.
Important: Pay attention to the email address Shield points out in this notice. The email address is your WordPress site email, not your user email. The email address of your WordPress site is the right place to look for verification email. If you can't find it in your inbox, check the spam folder.
- Open the link provided within verification email to confirm that your site can send emails.
Please try opening the link in the same browser/window as you're logged into your site. Otherwise, you may get a warning:
The link you followed has expired.
- Email-based 2FA is now set.
- Go back to your email-based 2FA settings and list user roles you want to be a subject to email authentication (under the Enforce - Email Authentication setting).
Note: Email-2FA will apply on the selected (listed) user roles only. Otherwise, 2FA will not work for those users.
- Each time those user roles try to log into your site, Shield will ask them to verify thier login with the 2FA login code provided in their email.
Note: The 2FA Authentication Code will be sent to the email address of the user. If it's not in the inbox, check the spam folder.
- You can also allow any user to turn-on email-based 2FA for their own user account (optional).
Email-based 2-Factor Authentication seem to be complicated to set-up but once you go through the whole settings process (steps listed above), you'll see how actually easy it is. It'll worth of your time because Shield's 2FA will keep you and your users safe and protected.