There are many ways to implement WordPress Two Factor Authentication to secure your site. Our favorite for ease of use is the Clef WordPress Two Factor Authentication Plugin. Before we take a detailed look at the plugin, it is first helpful to take a look at what is meant by two-factor authentication.
What is WordPress Two Factor Authentication?
WordPress Two-Factor Authentication adds another layer of security to your login. It typically requires providing 2 out of 3 authentication factors, such as a “Knowledge Factor,” “Possession Factor” and an “Inherence Factor.” Let us take a look at each of these in turn:
The knowledge factor is a piece of knowledge that you know. This can be a password, a secret question, or in the case of Clef, a pin number.
This is the most common trend in WordPress Two Factor Authentication systems. To prove possession, you typically need a device such as a mobile phone, which you prove ownership by receiving a text. In Clef’s case, you prove ownership of the device by syncing a wave shown on the screen with the phone’s camera (more on this later in the article).
The inherence factor is when you provide verification by providing something of yourself, i.e. fingerprint, voice recognition or iris scanning. Clef does not use this method, instead opting for the two prior methods discussed.
What is Clef?
Clef is a Two Factor Authenticator for WordPress that connects your WordPress login credentials with your mobile phone enabling easy and secure access to your WordPress installations. Unlike other authenticators that use a text message push notification pin sent to your phone Clef works differently. Once you have set it up (we will come to that in a moment), it is as simple as holding your phone up to your login screen and syncing a wave shown on the monitor via your phone camera. The best way to understand this is by checking out the video below:
How to Install Clef WordPress Two Factor Authentication Plugin
Whilst some hosts now offer you the opportunity to install Clef via Softaculous one-click installer with new installs (such as Arvixe), as well as in the case of SiteGround an Ad free version, we will be taking you through how to install the plugin manually from the WordPress Repository, as well as configuring the plugin and your phone app.
Step 1 – Install WPClef Plugin
Log into WordPress, and navigate to the Add New Plugins screen (Plugins -> Add New), and search for “WPClef” as shown in the image below:
Once you click “Search Plugins” there should be one entry called “Clef” which is shown below:
Now click the “Install Now” button, and then press “Activate Plugin” option on the next screen. You will be presented with the Clef Setup screen as shown below:
Step 2 – Set up the Clef App on your phone
Following on from the screenshot above, click the Get Started button.
The first stage is to install the Clef app on your mobile phone, and you will see in the screenshot above the option to get the app, or if you already have the app to bypass this stage. Click the green “get the clef app” button to be taken to the next screen that helps you install the app.
The Clef App is available for both IOS and Android. You can get Clef to text you the link, or click either the IOS or Google Play (Android) icons at the bottom. Actually, at the date of this tutorial both the Apple App Store Icon and the Google Play Icon linked to the Google Play Store, but you can find the App in the Apple App Store here. In our case, we will be installing the Android app, and therefore, we will click the Google Play Icon at the bottom of the screen above, which will take you to the Google Play app page as shown in the screenshot below.
As we have our Android Phone connected, we can just click the install button shown edged red in the screenshot above to install the app. You will need to confirm the app can access your camera microphone as well as identity and location, as well as choose the device you wish to install it on the next screen.
Step 3 – Setup Your Clef App on your Mobile Phone
Once the app is installed run the Clef app on your mobile phone, and click the “Get Started Button”. You can then enter your “Name”, “Email” and choose a pin number. You can see the different screenshots of the process below:
You will then need to verify the account by clicking the verification link in the email you will be sent. If you do not see it, please check your spam mail, or ask for it to be resent. Then you can click the blue “confirmed” button on the last screenshot above.
You will then see a blue wave show up on your camera screen ready to sync the App with your WordPress install.
Step 4 – Sync App with your WordPress install
Once you have installed the app in Step 3, click the “I have the app, take me to the next step” on the WordPress setup screen. This is where you sync your Mobile App with your WordPress install. You should see a blue wave both on your WordPress setup screen and on your mobile. Overlay the Mobile screen (camera shows the wave) with the wave on your WordPress setup screen as shown below:
This will log you in automatically when you hover the wave from your mobile app, with the wave on your screen. Once logged in you will be logged in for a default of one hour as shown in the following screenshot:
You can see on the screenshot above the option to adjust the time you are logged in, or you can hit the infinite symbol, which will keep you logged in until you log out.
Step 5 – Complete Setup
Once you have successfully logged in via your Clef App you will see the following screen:
Once you click “complete setup” you will see a screen inviting you to send an email to other users on the site with ability to specify which role of user you invite:
Once you have invited other users of your site, click “Continue and finish setup”. The next screen gives the following tips:
1. Sync once, log in everywhere.
When you scan a Clef Wave, you’ll be logged into all of your sites on that computer. This means you don’t have to keep scanning as you browse the web.
2. Log out with your phone.
When you want to log out of your sites, click the logout button on your phone. This will log you out of all of your sites and can be done from anywhere (including after you walk away).
3. Lose your device?
If you lose your device, don’t fret! Just visit getclef.com/lost, deactivate with your PIN, and reactivate on a new device.
Step 6 – Extend Clef to Facebook, Gmail, and Twitter
Once you have finished installing Clef, you will then get a screen inviting you to “Try Waltz” which is a chrome extension that lets you log into other popular sites using Clef, although this is outside the scope of this tutorial. You can find out more about Waltz here.
Step7 – Clef Settings
After clicking “Go to Clef Settings in the screenshot above, you will have the option to configure the login process further. You can change the following options:
- Disable passwords for Clef Users – Here you can make everyone log in via the Clef Wave if they have setup Clef to login, rather than offering both options. This increases security for your site and is recommended. If you select this or any of the other methods to disable passwords below, you will have the option to allow User password log ins for any third party apps.
- Disable passwords for all users with privileges greater than or equal to specified roles – You may want to increase security for just your admin users. This allows you to do that.
- Disable passwords for all users and hide the password login form – For ultimate security, you can select this option, and make users setup Clef to log in.
- Show Clef Wave as Primary Log in Option – If you select this, the Clef Wave automatically shows on the login screen. Otherwise, you see the User and Password fields with an option underneath to “Log in with your phone.”
- Support Clef – Add a link from your site to Clef should you wish to support them.
- Invite Users – We covered in a previous step the ability to invite users to start using Clef to log into your WordPress install. This gives you access to this ability after the initial setup.
- Clef API – For developers.
You can see a screenshot of the settings screen below:
Final Thoughts – Clef WordPress Two Factor Authentication Plugin
The plugin was extremely easy to setup and install, and apart from entering a short pin into your mobile phone every time you wish to view the mobile app, there are no passwords to remember. Everything works easily, and the app has no trouble recognizing the wave on the computer screen.
We like the ability to set a time limit on the login time, which is particularly handy if you log in from a public computer, but also great if you want to set an unlimited time for your home computer.
“Exceeded our Expectations – Simply Brilliant!”
We never really wanted to use Two-Factor Authentication previously due to having to wait for a text to be received, which can be quite frustrating if you do not have good phone reception within your house. This takes all the pain away and is probably the most simple Two-Factor authentication you will find… anywhere!
While we haven’t yet tried it if you have multiple sites, you can get access to them all simply by logging into one of those sites via Clef. This complete wipes away the nightmare of settings up Two-Factor Authentication if you manage many different sites. Awesome!
The only thing we do not like are the adverts on the login screen, although we fully appreciate this is necessary to fund this awesome app. This is easily resolved by upgrading to a no-ad version for $29, or signing up with SiteGround, who offer a no-ad version as part of their hosting.
Another great thing is Clef have recently partnered with the one-click installer Softaculous to offer users the chance to automatically install this app with new WordPress installs. Please note that not all hosts yet provide this functionality, as it needs to be individually turned on via the web hosts Softaculous admin area. Arvixe for example, a founding member of Clef, has already enabled this functionality.