Greater Security with Two Step Authentication

April 5, 2013

Gary

We know your blog is important to you, and today we’re proud to announce Two Step Authentication: an optional new feature to help you keep your WordPress.com account secure. For those of you who use Two Step Authentication with your Google account, you’ll know how useful this feature is for keeping your account secure.

enterverificationcodeTwo Step Authentication works like this: when you log in to your WordPress.com account, we’ll prompt you to enter a secret number. To get that secret number, you’ll need to download the Google Authenticator App on your smartphone. It generates a new number every 30 seconds, making it virtually impossible to guess. All you need to do is open the app on your phone, and type in the number it’s showing. If you don’t have a smartphone, you can instead opt to have the number SMSed to you.

To enable Two Step Authentication, head on over to the new Security tab in your WordPress.com account settings, and go through the setup wizard. The wizard will help you make sure that everything is configured correctly:

Settings

Once you enable Two Step Authentication on your account, there are a couple of extra steps we recommend you take:

Print backup codes

Print out some backup codes to keep in a safe place — your wallet, a filing cabinet or your document safe in case your phone is lost or stolen. You can print backup codes right from your WordPress.com Security tab:

backupcodes

Generate application-specific passwords

Some apps that connect to your WordPress.com account (such as the WordPress mobile apps) don’t yet fully support Two Step Authentication. For these apps, you can generate unique passwords to use with each one (for example, you can have a different password on your phone and your tablet). If your device ever goes missing, you can disable its password with a single click, locking it out of your account.

If you need any extra help setting up Two Step Authentication, detailed instructions are available in the Support documentation.

Have feedback or suggestions? Leave them in the comments!

Missing out on the latest WordPress.com developments? Enter your email below to receive future announcements direct to your inbox. An email confirmation will be sent before you will start receiving notifications—please check your spam folder if you don't receive this.

Join 4.7M other subscribers

34 Comments

Comments are closed.

  1. David W. Boles Apr 5th at 8:53 pm

    Brilliant! Necessary! Forward-thinking! Outstanding! Now leaving to turn on the 2-Step! SMILE! Thank you!

    Like

  2. Stephen Rees Apr 5th at 8:55 pm

    And for those of us with Nokia Symbian smartphones there’s ….. bupkiss

    Like

  3. showmescifi Apr 5th at 9:24 pm

    great timing this is something that we need. As an aside, will this also be enabled for self-hosted blogs, as a Jetpack service perhaps?

    Like

  4. conniekauffman Apr 5th at 9:34 pm

    Great. I don’t have a cell phone, so can’t download the app. Does this mean my blog is no longer accessible?

    Like

  5. Perpetua Apr 5th at 10:34 pm

    And for those of us who don’t have a smart-phone? What then? There are some of us our here, you know……

    Like

    • Gary Apr 5th at 10:38 pm

      You can opt to have a login code sent to you by SMS, instead. You’ll need network reception, of course, but this will work with any phone.

      Like

  6. seiharris Apr 6th at 12:04 am

    @showmescifi or anyone else who’s wondering about self-hosted WordPress – it seems .org has had it for a while: http://wordpress.org/extend/plugins/google-authenticator/

    Like

  7. HipsterApproved.net Apr 6th at 12:21 am

    Great. Thanks!
    Now if Apple will just send me an iPhone to test out.
    (I’m waiting Apple…)

    Like

  8. Teepee12 Apr 6th at 12:24 am

    Optional means I don’t have to do this, right? Because we don’t have cell phones. I don’t want to discover that I have no choice. We can’t afford cell phones, so we don’t have them and amazingly, life is fine — even though sometimes, we are out of touch for a few hours. Just like in the good old days!!

    Like

    • Gary Apr 6th at 12:51 am

      That’s correct, this is an entirely optional extra level of protection for your account. We understand that not everyone has a cell phone!

      Like

  9. Catherine Burden (@AlwaysARedhead) Apr 6th at 1:23 am

    That’s all fine and dandy if you have a data package on your phone, otherwise useless.

    Like

    • Gary Apr 6th at 4:19 am

      You only need your phone connected to the internet when you install the Google Authenticator app – after that, the codes will be generated without needing an internet connection.

      Like

  10. Clashgour Apr 6th at 6:46 am

    Nothing for Windows Phone??

    Like

  11. onmydish Apr 6th at 8:11 am

    Great function but what happens if you loose your smartphone?

    Like

    • Gary Apr 6th at 11:48 am

      We strongly recommend you set up Backup Codes after you enable Two Step Authentication. These backup codes can be printed out and kept in a safe place, to use in the event you lose your phone.

      Like

  12. iNotes4You Apr 6th at 9:35 am

    Thanks Gary.
    This is a great step forward WordPress and should become a standard feature for all the other providers of internet services.
    As I am no professional for security questions do you think that with 2-Step-Authentication a periodic change of the password is dispensable?

    Like

  13. Dave Wild Apr 6th at 10:27 am

    It would be nice if this could be extended in future to use Yubikeys.

    Like

    • Gary Apr 6th at 11:58 am

      Thanks for the suggestion! We have no immediate plans for Yubikey support, but we’ll keep it in mind for future updates.

      Like

  14. Alex Apr 6th at 12:02 pm

    Great, security is always top priority.

    Like

  15. Victor Tribunsky Apr 6th at 1:38 pm

    Excuse me, where is Security Tab in Dashboard? 🙂

    Like

  16. Zoe Apr 7th at 11:17 pm

    If you don’t have a smartphone or cell but have an iPod touch with a camera, you can still do this! Just download the Google Authenticator app from the App Store and follow the instructions for the two-step authentication in the security settings. It still works and it’s a piece of cake.

    Like

  17. 簡sir Apr 9th at 12:17 am

    Finally, a long wait security feature come. A MUST enable feature.

    Like

  18. Marc Cerniglia Apr 10th at 3:54 pm

    Is this available for all WP websites…or just the free blogs people sign up for? My clients websites are all on WordPress and I dont see the security tab anywhere (including under settings)…and most of them are in 3.5.1…so am I missing it…or is it not available for WP websites yet?

    Like

    • Gary Apr 10th at 10:46 pm

      This is currently only available for WordPress.com sites, though we’re investigating ways to make it available for self-hosted WordPress sites, too!

      Like

  19. Matt Apr 12th at 11:51 pm

    This is sometimes called two-factor authentication.

    Like

  20. Salman Apr 13th at 8:22 am

    Awesome Work. Thanks a lot for integrating with Google Authenticator. I would like to request the option to move from one phone to another without disabling this app on phone. Since, I have rooted phone, I would love to have this feature, in case I formatted the phone.

    Like

  21. Jason (@ghostie256) Apr 13th at 7:37 pm

    @Salman Backup the Google Authenticator using something like Titanium Backup before formatting and it will restore without any issues just fine.

    Like

Create your new blog or website for free

Get Started