However, this is yet another reminder that standard username and password security is a miserable failure.
There are some caveats though:
- Don’t have spaces in your Description field, when generating the QR Code. Some implementations of the Google Authenticator don’t like that.
- Generate an application password if you use WordPress on a mobile device. Write this down before pressing “save” because it is hashed when saved.
- If your server and your mobile device are out of sync by a few minutes, there’s a setting called “relaxed mode” which will allow for 4 minute drift either way.
That’s pretty much it! As for 1Password (which I use), I have to recommend disabling auto-submit, for obvious reasons. That said, I’ve heard a rumour that they’re building in two-factor authentication at a later stage.
Even so, with 1Password and the Google Authenticator mobile application, this is a fairly simple solution to a massive security risk, and I recommend it.