Note: Authy works on iOS, Android devices, Windows and Macs.
How Does it Work?
Normally passwords can be cracked. If you are using the same password on numerous websites, a security leak on one put your other accounts in danger. Often people are lazy, and they don’t change their passwords even after they get an email about security compromise on a major site.
Well, the 2-step verification is the solution just for that. Even if the hacker knows your WordPress username and password, they will not be able to access your site unless they have a time restrained random security code (provided by Authy).
Because your blog is directly connected with your mobile device, you will be the only person with access to retrieve the unique code for each login. The code expires in a short amount of time for security purposes.
Once we are done with this tutorial, there will be an additional field on your WordPress login page which will improve your WordPress security.
Step 1. Add The "Authy" app to your Phone
The first thing you need to do is install the Authy app on your phone. We are going to use the iOS terminology for the sake of this tutorial, but the process is similar for other devices as well. Visit the App store and search for “Authy”. Download and Install the application.
When you open the app you will be prompted to enter your cell phone number and then your email address.
This will create an account for you with Authy and it's what your devices will use to access your codes. If you install the Desktop version of Authy later, all your codes from your phone will be available to you from your Authy account.
Once your account is created you will be able to either scan a QR code or enter a provided key manually.
As soon as you scan the bar code or enter the key, your WordPress blog will appear in Authy. It will show you a random string of 6 digits with a timed counter next to it to indicate time remaining before a new code is issued.
Step 2. Install The "Wordfence Security" plugin in WordPress
It's highly recommended to let Skunkworks' staff do this for you but if you wish to do it yourself, install and activate the free version of Wordfence Security plugin for WordPress if it isn't installed and activated already. For more details, see this step by step guide on how to install a WordPress plugin.
After installation and activation, in the WordPress menu, click on Wordfence » Login security.
On the next screen you will see a QR code for you to scan with your phone's camera.
Open your phone's camera and point it at the QR code. Your phone will recognize that the QR code is meant for Authy (Because it's already installed on your phone.) and prompt you to open Authy to add the site's token.
Now enter the code shown in Authy into the box here:
You may be prompted to download backup codes but because Authy has other protective measures in place, you can safely skip this step.
Now the next time you login to Wordpress, you will see a two-step verification field that asks for your 2FA code. And even if your Wordpress username and password were compromised, someone would not be able to log in as you because they do not have your phone with it's 2FA code from Authy.