Last year we purchased a license for an multi-factor authentication plugin (miniOrange) for WordPress. Unfortunately, the licensing is tied to the HOST NAME of the server on which it was installed, which makes the plugin utterly unworkable since the Pantheon workflow would appear to the developers as 3 separate hosts.
I see in the docs references to Duo and OneLogin and there are 20+ other MFA plugins we could try but I’m concerned about ending up paitned into the same environmental corner.
Can anyone recommend a known-good MFA plugin for WordPress that will function in the Pantheon workflow?
I haven’t tested on Pantheon-specifically, but I have used two-factor at my last agency gig. Notably, it’s hosted on GitHub under the WordPress organization, so I take that to mean it will continue to work with modern WordPress and doesn’t have any external dependencies.
FWIW, this conversation actually came up recently in my team as a result of the recent Wordfence State of WordPress Security report – one of the takeaways I had was this quote:
Stolen credentials remain the leading cause of account compromise across all organizations, and WordPress is no exception. Many people reuse the same credentials for multiple sites, and data breaches exposing old passwords are common. The most effective defense against this type of attack is to use strong unique passwords for each site and implement Multi Factor Authentication (MFA).
…so 2fa/mfa is something that’s been on my mind of late.
Thanks for the response, Chris. Well, it it comes from github that would alleviate licensing concerns, unless they started hosting non-open source stuff. I’ll look into it.
Yeah, licensing should not be an issue and honestly, I wouldn’t expect a good 2FA plugin to require a license unless it’s doing something really special.
You hit the nail on the head with bells and whistles. The miniOrange plugin works with a myriad of authenticators, can send SMS text, call your grandparents to see if they recognize your voice, etc. etc.