Defender implements Two-Factor Authentication (2FA), fingerprint/facial recognition, and external hardware security keys for hardened WordPress security!
It has become increasingly apparent that relying strictly on usernames and passwords for logins no longer offers the highest levels of security.
WPMU DEV’s solution to addressing this is through the use of the WebAuthn standard, which bypasses vulnerabilities by providing a protocol of public key cryptography as a login authentication method.
Both Defender Free and Pro versions allow you to make full use of Web Authentication; providing the ability to verify the authenticity of a user login by way of biometrics (facial or fingerprint recognition), or a USB security key (e.g., YubiKey).
Usage of these web authentication methods is similar to the 2FA methods already present in Defender, alongside the existing TOTP (Time-based One-Time Password), backup codes, and fallback email authentication methods.
In this article, we’re going to look at how to implement Web Authentication methods, as part of our 2FA WordPress plugin features in Defender.
Continue reading, or jump ahead using these links:
- The All-Encompassing Defender
- Full Walkthrough on Web Authentication
- Additional 2FA Features: WooCommerce Integration, Disable Users, Custom Graphic URL
- The Complete Package
Let’s explore all that Defender has to offer in the form of login protection with the cool new 2FA WebAuth features.
The All-Encompassing Defender
Defender gives you the best in WordPress plugin security, stopping SQL injections, cross-site scripting XSS, brute force login attacks—and other vulnerabilities—with a list of one-click hardening techniques that will instantly add layers of protection to your site.
It also makes safety easier on and for you, taking advantage of the latest in WebAuth security measures.
By way of a quick overview, here’s how this works in Defender… the user will input their username & password to log in, and if Platform authentication has been configured for that device, said user can verify their identity through their fingerprint scanner or facial recognition software. Likewise, if the Roaming authentication has been configured for that device, the user can verify their identity through their USB security key.
Because we’re using the WebAuthn protocol, Defender does not at any point receive any biometric or security key data, only a confirmation or rejection from the user’s device.
I want to interject here with a quick point of interest, shared by one of our techs, Marcel Oudejans (and paraphrased by me)…
The convention of naming a dog “Fido” was popularized by Abraham Lincoln, though its use as a canine pet name dates back to the ancient Romans.
“Fido” means “faithful”. FIDO stands for “Fast IDentity Online”. The new Biometric authentication feature uses WebAuthn protocol from FIDO.
So in a lovely, roundabout way, by using the FIDO protocol to implement this feature, one could say we are infusing ‘faithfulness’ into Defender.
For more technical information on FIDO, check out this article.
Ok, now let’s take an in depth look at these awesome new Web Authentication features.
Full Walkthrough on Web Authentication
First, make sure you have the Defender plugin installed and activated, and update it to the latest version.
Two important things to note up front:
- Configuration of authorized devices is required on a per-user basis, since authentication is linked to individual user accounts.
- PHP 7.4 or above is required, as it improves performance and security, while also supporting the new biometric feature.
Enable Biometric or USB Security Key
Navigate to the WordPress Dashboard > Defender. On the left sidebar, click on 2FA and click on the Activate button.
Now you’ll see all the section information for Two-Factor Authentication, and all the options we have available here.
From the same Defender 2FA page, under User Roles > Administrator, toggle the button On. Make sure to scroll to the bottom and click on Save Changes.
From the Dashboard’s side menu, go to the Users section, and click on your Admin User profile.
Scroll down to the Security section, and next to Web Authentication, toggle the button ON.
You’ll see a recommendation to choose an additional authentication method from these options: TOTP, Backup Codes, and Fallback Email.
In the example below, you’ll see Fallback Email has also been selected, but you can choose whatever method(s) you prefer. Remember to click the Update Profile button at bottom.
Web Authentication does not replace your traditional WordPress login (i.e., username & password), instead adds an additional secure layer, like the other authentication options above.
While many browsers and operating systems are compatible with the WebAuthn protocol used to manage the authentication process, some are currently not. Check here to see WebAuthn’s browser and OS compatibility list.
Register Device
With WebAuth authentication enabled, the Registered Device table will appear, with options to Register Device or Authenticate Device.
Clicking the Register Device button will start the prompt from your browser to configure the form of Web Authentication you wish to use, depending on what’s available on your device.
Select an Authenticator Type, enter any name in the Authenticator Identifier field, then click the Start Registration button.
Depending on the authenticator type and device you are using, the registration process will differ.
Example 1:
Registering a Windows desktop or laptop will prompt you to enter your Windows Hello PIN, or whatever other authentication method may be enabled on your device.
Example 2:
Registering a mobile device will prompt you to touch the fingerprint sensor, or whatever other authentication method may be enabled on your device.
Example 3:
Registering a USB Security key will prompt you to go through a brief series of steps.
Back on your Users Profile page, if you scroll to the bottom under Security > Registered Device, you’ll see your device listed here, along with a message beneath it confirming it has indeed been registered.
The next step is to authenticate the device you just registered.
Authenticate Device
Once the device has been registered, click the Authenticate Device button.
The same authentication method used to register the device will prompt you to confirm the action.
Once done, you’ll see a success message appear. Now you’ll be able to use the registered WebAuth options as additional, secure ways to login to your site.
Rename or Delete Device
If desired, you can rename or delete any authenticated device.
Navigate to the WordPress Dashboard > Users, and click on your username.
To Rename:
From Profile > Security > Registered device, click on the Rename text in the Action column. Type the new name, and click Save.
To Delete:
Same process as above, but click on the Delete text in the Action column, then click OK from the next popup.
Be advised that the Delete action doesn’t save settings, so if you decide you want to use the Biometric feature from that device again, you will need to go through the full setup process.
Likewise, if you deactivate any WebAuth functionality on your device, the login will no longer work, and you would need to repeat the process on your device to restore the feature’s functionality.
GDPR Compliance
FIDO Alliance standards were created from the outset with a “privacy by design” approach and are a strong fit for GDPR compliance.
Because FIDO delivers authentication with no third-party involvement or tracking between accounts and services, biometric authentication with FIDO2 compatible devices is fully GDPR compliant.
With FIDO, no personally-identifying information ever leaves your device.
For more information, see the following article on the FIDO website: FIDO Authentication and GDPR.
Enabling Multiple 2FA Methods
If you enable more than one additional authentication method in your profile, each will display as alternate options beneath the method you have set as your default.
For example, here’s the screen you’ll see if you select Web Authentication as your preferred method…
And here’s an example showing TOTP Authentication as the preferred method.
You can click on any available option in the list, and it will display the selected alternate authentication method.
A final note… Web Authentication requires that the following PHP extensions be enabled on your server: mbstring, GMP, and Sodium. These extensions are enabled by default on all sites hosted by WPMU DEV.
If you are hosting elsewhere and any of them are not enabled on your server, you’ll see an alert like the one below. Reach out to your hosting provider to have them enable the extensions for you so that you can use this feature.
Click here for WPMU DEV’s full documentation on Defender’s Web Authentication feature.
Additional 2FA Features
A few extra goodies were included in the most recent rollout of Defender. Here’s what else is new:
WooCommerce
Defender allows users to configure 2FA from WooCommerce’s My Account page.
Simply flip the option on in Defender’s 2FA settings, and enable two-factor authentication for the user role Customer (so the 2FA section appears under the My Account page).
Check Active Users
Defender now allows you to see User 2FA status, or reset it for any reason. To do so:
- Navigate to WP Dashboard > Defender > 2FA > Active Users.
- Click on View users; check the Two Factor column to see who has 2FA enabled.
- Hover over any user, and below their avatar, Reset two factor will display. Click on that, then Save Changes.
You can also skip a step, and navigate directly to WP Dashboard > Users to reset the 2FA.
Custom Graphic from a URL
The Defender icon that appears on your login page can be replaced with a custom graphic of your choosing.
You can now select to link a graphic from a URL, as well as the alternate options of uploading, or having no graphic at all.
The Complete Package
As protective measures go in WordPress, it’s hard to beat Defender.
Defender has powerful security protocols, including malware scanning, antivirus scans, IP blocking, firewall, activity log, security log, and two-factor authentication (2FA), including two Web Authentication methods–Biometric, and USB Safety Key.
Defender also comes with an additional, useful enhancement to Defender’s WP-CLI “scan” command. By using this WP-CLI command and option, if any issues are found, Defender will create a table with results.
Previously, you could only see the results of a malware scan from the back-end of the site (at WP Admin > Defender Pro > Malware scanning), but now you’ll be able to see the completed scan results right in the console.
Coming soon for Defender… we’ll expand on our use of WebAuthn, with our devs currently working on the ability to use hardware authentication devices. Plans are also underway to implement ‘password free’ logins in the best way possible, using the WebAuthn protocol.
You can read about upcoming features for any of our tools and services anytime in our product Roadmap.
If 2FA is the question, Defender is the answer. Handling security in your WordPress sites can be as simple—yet complete—as activating Defender.
[Editor’s note: This post was originally published in June 2022 and updated in March 2024 for accuracy.]