Two Factor Authentication for WordPress and Joomla! with Google Authenticator and YubiKey

two-factor-ga-yubikey-vi-wideSince 2007 I’ve been keeping my files in Dropbox; I plan my posts, I gather ideas and prepare for my next holiday using Evernote. I confide in both services data that is important to me, and sometimes even personal. As passwords can be stolen, I secure both accounts using the two factor futhentication method.

Two factor authentication, or two step verification increases the security of my account by including a second factor, e.g. a smartphone app or a hardware solution when logging in.

This is how two factor authentication works

  1. Enable the two factor authentication with your service: You enable the two factor authentication for your service. Depending on the service, you can select among app based, SMS or hardware solutions like an authenticator or USB dongle.
  2. Login: You log in using your user name and password as usual.
  3. Additional step / second factor: You receive a code via SMS or app, or you log in using your hardware solution (Dongle).

After logging in you can add devices as trusted for many services, so you can choose if you want to skip the two factor authentication for future logins with the device. Thus, you can login easily on safe devices.

Two factor solutions for WordPress and Joomla!

I have been protecting my private WordPress and Joomla! accounts using two factor authentication with Google Authenticator for some time. Besides Google Authenticator there are multiple alternatives. One hardware-based alternative I want to briefly introduce is YubiKey, which I personally like for its simplicity and great support for various login types.

Two factor authentication with Google Authenticator

Google Authenticator can be used with many services and applications, e.g. Dropbox, LastPass and Evernote. You can use Google Authenticator with WordPress through plugins,  Joomla! supports Google Authenticator out of the box since version 3.2.

You can download Google Authenticator as free app for iOS, Android and BlackBerry, and use it parallel on several devices. This is convenient if you want to generate a confirmation code using smartphone and tablet.

Install Google Authenticator (Google)

Read our tutorials now:

Two factor authentication with YubiKey

With a YubiKey you can combine the classical login of user name and password with an additional security code.


Image: Yubico

A YubiKey is a small, robust USB dongle with simple One-Click two factor authentication. YubiKeys support computers with USB ports, and the YubiKey Neo also supports NFC devices. Your operating system recognizes YubiKeys as USB keyboard, so no driver or installation is required.

Login with a YubiKey works as follows:

  • Plug the YubiKey to a free USB port.
  • Set up your YubiKey with the YubiKey Personalization Tool.
  • Log in with your user name and password.
  • Select the field for security code.
  • Press the button on your YubiKey, and it will automatically generate a security code.

YubiKeys cooperate with many CMS. By using a Plugin you can use YubiKey with WordPress. Starting with version 3.2, Joomla! supports Yubikey two factor authentication out of the box. Setup is very straight forward. Following the two factor authentication, you can configure each user individually in the plugin settings.

YubiKey supports the following systems and applications (selection):

  • Single Sign-On
  • Computer Login
  • VPN
  • Password Manager
  • Gmail
  • LastPass
  • Dropbox
  • GitHub
  • Evernote
  • WordPress
  • Joomla!

Info: On April, 14, 2015 Yubico confirmed a vulnerability that affects a subset of the YubiKey NEO using the OpenPGP applet version 1.0.9 or earlier. Yubikey Standard is not affected by this vulnerability. Please read the full Security Advisory for all details.

 You might also like











Please rate this post :

One thought on “Two Factor Authentication for WordPress and Joomla! with Google Authenticator and YubiKey

  1. I use the Google Authenticator Plugin, one thing to note is that on old android phones, there is a glitch that makes the time sequence out of whack, and you don’t have enough time to log in. So If you are planning on implementing any of these plugins in your website, make sure you have a backup done before implementation, so you can recover your account if the plugin locks you out.

Leave a Reply

Your email address will not be published. Required fields are marked *