Two Factor Authentication with Jetpack

Over the summer, I wrote up a quick one-file plugin to force site administrators to use Jetpack’s Single Sign-On via WordPress.com, specifically with two-factor authentication1.

It was closed-sourced initially, for no other reason than it was experimental and didn’t want to make a promise it was coming without it being proven.

Without further ado, I give you Jetpack Force 2FA!

On multisite installations, it forces all users to use the SSO+2fa since there isn’t a reliable way to know if a particular user is an admin on any site of the network (since once they’re logged in on one site, they’re logged into them all).

On single-site installations, if logging in with a traditional username and password, it’ll check if the user is an admin or not. If so, it’ll kill the login attempt. If logging in with SSO, it’ll either use the pre-established connection between the local user and the WordPress.com user, or it’ll automatically accept if the e-mail addresses of the two accounts match.

It is pretty helpful for us at Automattic, since it gives us a pretty easy way to get the benefits of 2FA on our Jetpack sites without having to do anything extra.

This is still pretty far from perfect. Long-term, I like the WordPress Feature Plugin that is exploring adding 2FA directly to Core. The plugin, being developed on GitHub and available from WordPress.org, adds an extendible framework to add two-factor methods.

Out of the box, it includes methods for e-mail, TOTP (e.g. Google Authenticator or Authy), backup codes, or FIDO U2F (a special USB key that when connected to the computer provides the second authentication factor). It’s going to be a nice addition to WordPress if it lands, but even if it doesn’t, can still get the benefits of 2FA via Jetpack2.


  1. Two-factor, or two-step, authentication is when you need to login with two separate items—usually something you know and something you have. In Jetpack’s case, you’ll need to know your password and need to have your mobile device, either with an app installed to provide a code or ability to recieve SMS. 
  2. The 2fa plugin and Jetpack SSO doesn’t quite work nicely together yet, but we’ll get them working together soon enough. 

Comments

2 responses

  1. Saqib Ali Avatar

    Brandon,

    When will the FIDO U2F support be added to the WordPress Core?

    Thanks! 🙂

    1. Brandon Kraft Avatar

      “If” is the better question, rather than “when”.

      The feature plugin team working on it aims for 2fa to be proposed for WordPress 4.5 (probably April release, but target date not set yet as far as I know).

      For a feature plugin, the proposal needs to be approved by the core team, then merged into core. Proposals aren’t due yet, so it isn’t final. The proposal may or may not include FIDO (since it is only limited to Chrome at this time, even though FF/Edge support is incoming), and may or may not include any particular 2fa method.

      In short, still too far out to say that it will be included in Core. That said, the feature plugin works now (though with the warning it is under development, so use at your own risk) and is setup to be extendible. Even if it doesn’t land in Core, it would be trivial to release support for FIDO (as it exists now in the feature plugin) as a plugin to work with the 2fa base to be proposed in 4.5.

      In short, April is the earliest I’d expect it, but don’t bank on it at this time.

Leave a Reply