For the past couple years I was using Google Authenticator time based one-time passwords (TOTP) for two-factor authentication with my WordPress site. We have been using Duo Security at work for two-factor authentication for about the same amount of time, but I only just recently looked into using Duo Security for my WordPress site, and ended up switching to it.
Duo Security is a company that offers two-factor authentication solutions for small businesses to enterprise level. But what I like about Duo Security vs Google Authenticator (and other OTP style two-factor authentication solutions) is that it offers a push second factor known as Duo Push through their Duo Mobile application.
Instead of providing my initial username / password combination, and then entering in an OTP, Duo Security allows me to trigger a Duo Push to my iPhone (or other device with the Duo Mobile application installed). My iPhone receives the Duo Push indicating a username/password authentication has occurred on the Due Security secured login prompt, and I can confirm (or deny) the second authentication. When I confirm the authentication from the Duo Mobile application, it is simply sends the confirmation (second factor) back to the service (e.g. my WordPress site) and completes the authentication.
I much prefer receiving a push notification asking me to confirm an authentication with an “Approve or Deny,” rather than me having to key in a one-time password code.
Anyway, it’s a pretty simple process to deploy Duo Security for your self-installed WordPress site.
- Create a (free) Duo Security account.
- Create an application/service profile to obtain the API/service keys.
- Install the Duo Security WordPress plugin.
- Configure the Duo Security WordPress plugin (using the keys obtained in step 2).
Duo Security has a lot of plugins and documentation on how to integrate Duo Security with common applications such as WordPress, CAS, and LastPass, including VPN (e.g. Cisco ASA Anyconnect).
Note: My campus is using Duo Security two-factor specifically for CAS jasig, but we’re about to “Go big or go home” and start integrating Duo Security two-factor with our Unix infrastructure, Windows Server infrastructure (RDP), and possibly our VPN (which I would love to do since United States VPN credentials are highly coveted by the rest of the world).
If you’re not using two-factor authentication for your own web applications or servers, personal or enterprise, I highly recommend checking out Duo Security. The pricing model is fair for personal and small business use. I can’t really give too much insight into enterprise level pricing, but if my campus (public higher education) can afford it, then it should be affordable for most enterprise organizations.
If you’re using Google Authenticator or some other TOTP solution, then you should check out Duo Security to see if you like it better (I think you will).