What does the “factor” part mean?
The factor part can be explained by this list, where every item is a factor.
- Something you know
- Something you have
- Something you are
Nr 1 means a regular password. You (hopefully) know your password where you are a out to log in to.
Nr 2 means that you have to have something physical to login. Many bank have these devices where you get a one time code. Google has this app called Google Authenticator, there is another app called Duo Mobile. Some sites like Twitter and Facebook send you a text message. All these are examples of where you have a mobile phone which display a one time code that you enter to login.
Nr 3 means that you need to identify as yourself, physically by your fingerprint, an iris scan etc.
All of these are factors.
How about the “Two” part?
If you combine two of the earlier explained factors, you get a two factor auth.
One Time Codes. How?
The server and a mobile app has to use the same algorithm with the same initial setting and private keys to have their codes synced. They are not connected, you can be offline with your phone and still generate valid login codes.
The two most common algorithms are HOTP and TOTP. They are essentially the same, but HOTP uses a counter where TOTP uses a time window.
That means that if you with HOTP on your mobile generate code after code without logging in, the server and your mobile will be off sync and you won’t be able to log in anymore. With TOTP a code is valid for 30 seconds and the important thing here is to have the servers clock and your mobile clocks synced.
Can I have this for my WordPress site?
Of course, and you should!
I made this Two Factor Auth for Wordpress which uses TOTP with 6 digits One Time Codes so you can use Dou Mobile or Google Authenticator on your mobile to get your codes. You can read more about it in my post about Two Factor Auth for Wordpress.
If there’s anything else you want to know about this topic, ask me in the comments.