Two-Factor Auth available to test on WordPress.org

As promised in a previous post, 2FA for WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ accounts is now ready to test as an opt-in feature.

Note: this feature is for logging in to the WordPress.org web site itself; it does not affect your personal WordPress

If you’re familiar with 2FA and have an authenticator app such as Authy, Google Authenticator, or Keepass, then you can enable Two Factor auth on your account here:

https://wordpress.org/support/users/profile/edit/account/

You’ll see a screen similar to this:

Follow the Two-Factor Authentication link to get a QR code, and scan that using your preferred authenticator app.

Please make sure you save the Backup Codes! If you lose access to your authenticator app in the future you’ll need those to recover access to your WordPress.org account!

Questions

Is 2FA compulsory?

Not yet. In the near future we plan to begin requiring it for accounts with special access, core contributorsCore Contributors Core contributors are those who have worked on a release of WordPress, by creating the functions or finding and patching bugs. These contributions are done through Trac. https://core.trac.wordpress.org., theme and pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party developers, and so on.

It will be optional for casual users’ accounts, subject to changes in best practices.

Does 2FA work with SubversionSVN Apache Subversion (often abbreviated SVN, after its command name svn) is a software versioning and revision control system. Software developers use Subversion to maintain current and historical versions of files such as source code, web pages, and documentation. Its goal is to be a mostly compatible successor to the widely used Concurrent Versions System (CVS). WordPress core and the wordpress.org released code are all centrally managed through SVN. https://subversion.apache.org/.?

Not directly, since Subversion clients don’t support 2FA.

For WordPress coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. releases, 2FA has been in use for many years in the form of SSHSSH Secure SHell - a protocol for securely connecting to a remote system in addition to or in place of a password. keys protecting the release system.

For plugin and theme authors, the release management system will require a second factor before code commits are published in downloadable zip files. We’re also investigating other ways of requiring 2FA for code commits.

Does it support hardware keys/WebAuthn?

We do support hardware keys and other WebAuthn supported factors thanks to the WebAuthn Provider for Two Factor plugin. For now they must be configured through a wp.org admin interface via wp-admin/profile.php and we are working on adding a more user friendly interface (see issues #193 and #194). If you want to configure WebAuthn, log into one of the WordPress.org sites (wordpress.org, make.wordpress.org/*, etc), navigate Users -> Profile, scroll to the bottom of the page.

Can I use 2FA on my own WordPress site?

We’re using the Two Factor community plugin along with some customizations. Two Factor is open sourceOpen Source Open Source denotes software for which the original source code is made freely available and may be redistributed and modified. Open Source **must be** delivered via a licensing model, see GPL. and available for anyone to use right now. It’s completely free and stand-alone.

Issues/Feedback

You can file bugs or feedback in meta trac or the wporg-two-factor repository.

Thanks to @tellyworth for help in drafting this post 🙂