Some weeks ago, the Clef team announced they were closing all operations, stop supporting users and joining Twilio. They’ll work on the Authy app and other projects.

The shutting down was a disappointment for all users and means big troubles for more that one million WordPress site’s administrators.

First things first. What is Clef (in case you’re wondering)? It´s a two-factor authentication, also known as two-step authentication, app with a widely popular plugin for WordPress.

  • If you’re a Clef user, this is for you. We’ll share some alternatives.
  • If not, this still is for you. Because it’s time to start using two-factor authentication.

Clef is shutting down

Why you must use two-factor authentication

If you use Clef or know what this is, jump to the next chapter. If you need some enlightenment, stick with me.

Everything that provides more security to your site is a must have. I’m sure you know that the Internet is a dangerous place.

Two-factor authentication is a strategy to enhance security, requiring users two things:

  • One you know, a username and password combination;
  • One you have, a numeric or alphanumeric code, delivered via app or SMS, or a token.

Someone with your login data – username and password -, can’t access the website console without the code, refreshed in some seconds within the app ou that will arrive shortly inside a message.

In the WordPress ecosystem, brute-force attacks are one of the most popular known methods of hacking. The bad guys try to find out your username and password. Bots usually do the dirty job, trying to guess the access credentials. If they are successful, you’re in serious trouble.

Two-factor authentication works as another way to improve security by applying an extra layer.

It’s not the end of your worries. The site can be hacked by another sort of attack vector but, at least, you reduced the chances of intrusion.

How is the code delivered to you?

There are many ways to receive the code, depending on the app or system you use:

  • Email Services: The code is sent to your email;
  • SMS: Sent to your mobile phone;
  • App: Generates a new code automatically in very short intervals;
  • USB Tokens: You have to insert a token into your USB port (plus a token password).

There are systems more beautiful than others but, in this case, it is not the beauty that counts but rather the ease of use and the user experience.

Two-Factor Authentication for WordPress (except Clef) for more protection

Welcome back Clef user. It’s time for alternatives.

If you haven´t already removed the plugin, get it done after finishing read this. The team made a useful little guide in four steps. It’s time to say goodbye. And a warm welcome to your new safety companion.

Let’s look at some of the top authentication plugins available for WordPress.

Google Authenticator

The Google Authenticator plugin is one of the most popular. Gives you two-factor authentication using the Google Authenticator. The app is available for iPhone (and iPad), Android, and Blackberry.

Install and activate the plugin. Set a secret key or use a QR code. Download the free Google Authenticator app and enter the secret key or QR code. From now on, any time you try to login to your site, you’ll need to open the app and enter the authenticator code.

It’s a dull app but does the job. It’s free.

Google Authenticator

Authy

Download, install and activate the plugin. Sign up for an Authy account and enter your Authy API key.

You’ll have to update your WordPress profile in WordPress backend.

The plugin works with:

  • Security token sent via SMS or phone call;
  • A token inside the app;
  • A push notification via app.

Authy is free until 100 months authentications. For more, you have paid plans.

Authy

Duo Two-Factor Authentication

Like Google Authenticator, you must download and install the plugin and app. But you’ll also need an account on the Duo Security website to get security keys. Just like Authy.

When you try to login to your site, you’ll be redirected to another login page to choose your preferred authentication method:

  • Mobile app;
  • One-time passcodes generated on the app;
  • One-time passcodes delivered via SMS;
  • One-time passcodes generated by an OATH-compliant hardware token.

Duo is free up to 10 users. If you need more, you’ll have three scales of prices, for 3, 6 or 9 dollars per user and month.

Duo Two-Factor Authentication

Rublon Two-Factor Authentication

The easiest of them all to start and the most attractive for the password haters.

The same procedure: download, install and activate the plugin.
Go to your login page, insert username and password and wait for the email Rublon sends you. Click on the link, and you are ready to go. Your next login from the same device will need only your password.

From this point, you’ll want to use the mobile app (available for Android, iOS and Windows Phone). You’ll have to scan a QR code.

Rublon is free for personal use on one website. To add more accounts, you will have to opt for paid plans. There are no prices on the website but we learned that is 2 dollars per user and month. They prefer to get contacted because then they know who is interested in the service.

Rublon
Now it’s on you. Choose your solution and get your hands dirty. In the end you’ll have a more secure website.