Last year we purchased a license for an multi-factor authentication plugin (miniOrange) for WordPress. Unfortunately, the licensing is tied to the HOST NAME of the server on which it was installed, which makes the plugin utterly unworkable since the Pantheon workflow would appear to the developers as 3 separate hosts.
I see in the docs references to Duo and OneLogin and there are 20+ other MFA plugins we could try but I’m concerned about ending up paitned into the same environmental corner.
Can anyone recommend a known-good MFA plugin for WordPress that will function in the Pantheon workflow?
I haven’t tested on Pantheon-specifically, but I have used two-factor at my last agency gig. Notably, it’s hosted on GitHub under the WordPress organization, so I take that to mean it will continue to work with modern WordPress and doesn’t have any external dependencies.
Stolen credentials remain the leading cause of account compromise across all organizations, and WordPress is no exception. Many people reuse the same credentials for multiple sites, and data breaches exposing old passwords are common. The most effective defense against this type of attack is to use strong unique passwords for each site and implement Multi Factor Authentication (MFA).
…so 2fa/mfa is something that’s been on my mind of late.
You hit the nail on the head with bells and whistles. The miniOrange plugin works with a myriad of authenticators, can send SMS text, call your grandparents to see if they recognize your voice, etc. etc.