Last week, WordPress.com introduced two-step authentication as an optional feature for WordPress.com blogs. It utilizes the Google Authenticator app for iPhone, Android, or Blackberry smartphones. If you don’t have a smartphone the secondary password can be sent to you in a text message, your phone being the “something you have”. For self-hosted WordPress sites, it was mentioned in the comments that the feature might come to WordPress.org blogs through the Jetpack bundled plugin. However, there are a few solutions already available to self-hosted WordPress sites and Drupal.
Two-step authentication and two-factor authentication. Are the differences just semantics? Standard security likes to summarize authentication factors as something you know (a password), something you have (a key or ID badge), and something you are (biometrics like fingerprints or retinal scans). The Google Authenticator app gives you a second factor with the something you have being your phone.
Google Authenticator is a popular one-time passcode generator because it works on many platforms (Android, iOS, and Blackberry) and Google has it implemented for use with Google accounts and other services like Dropbox and LastPass also utilize it.
You can implement Google Authenticator as a two-factor authentication to your self-hosted WordPress site using the Google Authenticator plugin. You install the plugin and go to your user profile within WordPress to configure Google Authenticator with your secret by scanning a QR code or entering it manually. With this plugin, you can configure an exception to allow XMLRPC connections so you can still use the Android/iOS WordPress apps though it does lessen the impact of implementing two-factor authentication a bit.
Drupal also has a Google Authenticator login module that allows you to boost the security of your Drupal website with two-factor authentication.
Back to WordPress, Google Authenticator isn’t the only option when it comes to implementing two factor authentication.
A little lower tech, another WordPress plugin called Perfect Paper Passwords which implements two-factor authentication a little differently using the Perfect Paper Passwords system by GRC. Your website generates a list of one-time passwords to use and provides you with a print-out of the passwords. As long as you keep that credit card-sized paper secure, you have implemented multi-factor authentication far cheaper than using a hardware-based token.
Each of these plugins add a third line below username and password where you can enter your one-time passcode. With the Perfect Paper Passwords system, it tells you which code it is looking for.