Clef’s Dead, Now What? 4 Free Two-Factor Authentication Alternatives
So what the fudge are we supposed to do now?
Two-factor authentication for logging into WordPress meant you didn’t have to fumble trying to remember all your passwords. It also helped protect you against phishing and brute force attacks since a hacker couldn’t just guess or enter your password to gain access to your site. They would also need access to your smartphone.
If you manage a WordPress site or even several for clients, beefing up the overall security of a site is a no-brainer. Most users know how to strengthen passwords, but a tougher way to crack down on phishing and brute force is two-step authentication.
So here are four excellent and free alternatives to Clef that are updated regularly that you can install on your WordPress site and start using today.
Defender is a one-stop-shop for securing your WordPress website. Not only does it have a ton of features such as security tweaks, file scans and full reporting, but it also has two-factor authentication.
It installs like most other plugins in the WordPress.org repository and in minutes, your whole site can be secured from top to bottom, inside and out.
Once you enable two-step authentication as the site or super admin in a couple clicks, you can choose which user roles are required to enable and use this security measure.
When that’s all done, users can visit their profile editing page in the admin dashboard to turn on this feature and get a QR code. From there, they can scan it using the Google Authenticator app on their mobile device and complete the setup. It takes about a minute.
The plugin also blends seamlessly into your site’s login page. When a user enters their login credentials, a similarly styled form loads where they can enter the secret security key provided by the Google Authenticator app.
Unloq is an excellent alternative to Clef since you also don’t need to enter a password once the plugin is installed on your WordPress site. Once you have signed up for a free account on the Unloq site and the plugin is set up, your WordPress login password field is replaced with an Unloq button. When you click it, you get a notification on your phone through the Unloq app with the IP address and location of the attempted login, the account username, as well as a button to either approve or deny the login.
If you don’t have a smartphone or you don’t have it nearby, you can still get two-factor authentication through time-based one-time passwords (TOTP) and email login.
If you require assistance migrating from Clef, the Unloq team is also willing to help you out.
Unloq is free for up to 100 users. There are also a lot of useful features for WordPress developers who manage client sites, such as the ability to white label the Unloq app so you can offer two-factor authentication as an added service.
Google Two-Factor Authentication plugin also doesn’t require the use of a password and works with the MiniOrange app so it’s a suitable alternative to Clef, though, it’s free for only one user. When you log in, you have the option to do so by using your username, password and Google two-factor authentication or your username and Google two-factor authentication.
If you’re migrating from Clef, there are six quick setup steps to get a comparable two-factor authentication service to Clef:
- Install the plugin like you would most others in the WordPress repository
- Verify your email
- Select the QR Code Authentication method
- Install the MiniOrange Authenticator app on your smartphone
- Scan the QR Code from the plugin page to the miniOrange app
- Configure the plugin to your specific needs
If you decide you want to upgrade to premium, there are many other types of two-factor authentication you can choose from including SMS, phone, email and push notifications.
This plugin is by far the most popular for Google Authentication. Like Clef, it offers two-factor authentication, but it’s different because it utilizes the Google Authenticator app. If you have two-factor authentication enabled for your Google, Amazon and Dropbox accounts, for example, you already have this app installed so it’s a convenient option in this case.
Once the plugin is installed and set up, you can scan the given QR code with your smartphone and follow the instructions for creating a profile in the Google Authenticator app. When you need to log in, you can go to the Google Authenticator app and copy the code into the extra field on the login form to sign in.
If you don’t have a smartphone or you don’t have access to WiFi or data on it, you can log in with the web-based version of the app.
It’s a solid plugin that’s updated consistently. When you’re setting it up, be sure to check that your web host can provide accurate time information. Otherwise, you would get locked out of your site. However, you can remove the plugin by deleting its folder in the /wp-content/ directory via FTP or SSH to regain access to your admin dashboard.
The Duo Two-Factor Authentication plugin has many options for logging in. There are passwordless options as well as one-time password options and you can also decide which one you want to use on the fly for your convenience.
Once the plugin is set up and you have signed up for their service for free, there are several different ways you can log into your WordPress site:
- With one-tap using Duo’s mobile app, which you can also install on your smartphone
- Via a one-time passcode generated by Duo’s mobile app (works even if you don’t have cell phone coverage)
- A one-time passcode delivered as an SMS message (also works with no cell phone coverage)
- With a phone call to any phone including mobile or a landline
- Via a one-time passcode generated by an OATH-compliant hardware token
It’s free for up to 10 users and you can also choose who is required to use two-factor authentication to log in based on WordPress user roles.
There’s no need to worry about what you’re going to do now that Clef is no longer an option. In fact, you have four suitable and solid alternatives to Clef for two-factor authentication on your WordPress login forms.
No matter which one you use, you can rest easy knowing your sites and your clients’ sites are that much safer from phishing and brute force attacks.
For more details on beefing up WordPress security, check out some of our favorite security posts:
- WordPress Security: The Ultimate Guide
- A Comprehensive Guide to Editing .htaccess for WordPress Security
- WordPress Security: The Ultimate 32-Step Checklist
- WordPress Security: Tried and True Tips to Secure WordPress
- 12 Ways to Secure Your WordPress Site You’ve Probably Overlooked