How to recover your login with 2FA backup codes
Shield Security offers 4 different types of 2-factor authentication:
- Email - after you login, you'll get an email sent to your account with a code / link to use to complete the login.
- Google Authenticator - you'll use an app that generates a random code which you use to login
- Yubikey - like the other two methods, but uses a hardware device that generates the code
- Passkeys - register Passkeys & FIDO2-compatible devices to complete your WordPress login
Adding 2FA is a great way to keep your account safe but if you lose access to your device or your email, you will need a backup code to regain access to your WordPress site.
For example, if you don't have your phone with you or you replaced/lost it and can't get a code from Google Authenticator, you can use a backup code to login.
Shield allows users to generate a backup code that can be used to login if any of the authentication factors are unavailable. It achieves this through the Allow Backup Code feature. This feature helps you to recover your login with 2FA backup code.
Before we explain how you can recover your login with 2FA backups codes, there are a few things you need to know about recovery codes first:
- Single-use only. When you use a recovery code, it cannot every be re-used.
- One at a time. There is only 1 recovery code available at a time, per account. If you generate a new code, it replaces the existing code.
- Manual code (re)generation. You must manually generate your codes from your WP user profile page. If you use the code, you must manually recreate another.
- It overrides multi-factor authentication. If you’ve configured your system to require all factors (i.e. multi-factor authentication) while logging-in, a backup code will still work. I.e. providing a recovery code will always work to complete your login, regardless of how many factors are missing.
- Backup codes are entirely optional. There is a site-level option to turn on/off backup codes, and individual users can generate and delete their backup codes, as they desire.
- Site Admins cannot manage site users codes. Only users can do this. They create/delete it from within their own profile page.
The Allow Backup Code feature: How to recover your login with 2FA backup codes
The first step to do is to go to the Login Guard module and enable any (or all) of the 2FA types. Then, enable Allow Backup Codes option:
Once you've done this, your site users can use a backup code for their login.
How to create a backup code for a user profile
To create a backup code for i.e. your user profile, please follow these steps:
- Go to your user profile page
- Scroll down the page till you see Backup Login code option
Click the "Generate ONE-Time Backup 2FA Login Code" button
Note: Once you generate the code, you can also delete it if you want.
Important: Before you confirm the code, please copy it and ensure that you store it wherever you keep your other valuable items.
Please also note that, if the option to generate codes does not appear on your user profile, this means that there is no 2FA factor active on your account.
This is a recovery system, and not designed to be a standard 2FA option for everyday use.
So, when you have your backup code stored, you may use it next time you login. The following example is for the illustration purposes only:
- We enabled Email-2fa, Google Autheticator (GA) and Multi-Factor Authentication (MFA) options
- We enabled Allow Backup Code feature
- We created a backup code for the admin user profile
Next time we try to login, we'll be prompted to supply email-2fa and GA codes. But, we can also use a login backup code only to verify our login:
Once the code had been used, Shield will notify us directly on our WordPress dashboard (at the top of the page) and send us an email notice that backup login code was just used.
For more information about this feature, you may read the release article here.
Note: ShieldPRO is required for this feature. To find out what the extra ShieldPRO features are and how to purchase, please follow this link here.