Two Factor Authentication
Internet facing services are under constant attack. They are a coveted resource that provide footing when exploited. It’s prudent to not loose control of your services to abuse. One way to do this is to enable two factor authentication, commonly known as 2FA.
Traditional authentication is based on what you know, a user name and a password. With 2FA, the second factor of authentication is what you have, a number token. In this post I’ll be covering how to setup 2FA support for WordPress and Webmin using the Google Authenticator app.
First, install the Google Authenticator app on a smartphone or table running IOS or Android.
You’ll need this before we enable 2FA support in WordPress and Webmin. Once installed, the app will provide 2 methods to create a token, QR code scan or manual entry of the API code. We’ll get this information when we enable 2FA on WordPress and Webmin.
This video provides details on how to enable support in WordPress.
There are several Google Authenticator plugins available. Once you choose one and it is installed and enabled, you can go to the users section of your WP site. Selecting a user will bring you to the properties of that user. Here you will see a section called Google Authenticator Settings. When it is activated, a secret API code should be available. With it you should also see a QR code. These are what you enter into your smartphone/tablet Google Authenticator app. That is it. When you logout and log back into your WP admin site, you’ll be prompted for a username, password, and token.
Enabling 2FA on webmin is slightly different. Sign in on webmin and under webmin / webmin configuration, click Two-Factor Authentication. From the pulldown menu, select Google Authenticator as the authentication provider then click save. I often got error messages with a link to use the perl modules page to install it, click that link. Wait for the process to complete, do not close your page. When complete, return to the webmin configurations page and click the 2FA link. Choose Google Authenticator again and click save. This will reload the webmin services, wait for it to complete. You will get a message You can now enroll for two-factor authentication in the webmin users module
From the webmin users link, click enroll and you should get the API code along with the QR code. Enter this into you smartphone or tablet. Make a record of the codes, you might need them again if you loose your smartphone or tablet. Now 2FA is enabled for the webmin site.
Another form of 2FA is RSA public-private key pairs. I’ve used this for my ssh services for years. This service is a favorite for attackers, since it will essentially provide system wide access if exploited.
This site provides steps on how to generate and use RSA public-private key pairs.
Windows – https://support.rackspace.com/how-to/generating-rsa-keys-with-ssh-puttygen/
Mac / Linux – https://support.rackspace.com/how-to/connecting-to-a-server-using-ssh-on-linux-or-mac-os/
Instead of using a smartphone or tablet that displays a token, you would use the keys generated to successfully access the ssh service. This method is especially useful for automated systems regularly connect. Pairing the systems with RSA key pairs ensures that secure connections are established with less compromise.
If you have an internet facing service that prompts for authentication, I strongly suggest enabling 2FA. This will increase the availability of that service for its intended purpose.