How to set up 2FA for a wordpress account using oathtool

• 

  mike632t · Member · Nov 16, 2024 at 7:50 pm

  • Copy link
  • Add topic to favorites

  I don’t have (or want) a mobile phone (no signal) but I would like to be able to enable 2FA for my WordPress account. Unfortunately the setup process assumes either Authy or Google Authenticator.
  
  Using oathtool I generated the 6 digit response code to set up 2FA using the following command

  oathtool -b --totp '3the yesm i386 6hij 5nuu fest abzk vhdh'

  Entering the 6 digit code seemed to set up 2FA and generate a set of backup codes.

  However, I am not sure what command I should use to generate a new token when logging in, as it is not obvious what options are required (is it a base32, hotp or totp etc).
  
  I’d really like to use 2FA but I do not want to end up locking myself out of my account!

• 

  mike632t · Member · Nov 17, 2024 at 4:00 pm

  • Copy link

  The solution turned out to be quite a bit easier then I expected.

  To set up two factor authentication using ‘oathtool‘ you need to login to WordPress, and select the Security settings under your profile.

  Then click on the ‘Two-Step Authentication‘ option to start.

  On the next page select ‘Set up using an app‘ and click on ‘Get Started‘.

  You will be presented with a QR code.

  If you were using a smartphone you would just scan the QR code but to use ‘oathtool‘ you need to click on the link that says ‘Can't scan the code‘.

  This will display a Base32 encoded key that you can use to generate a six digit verification code, using the following command (paste the key from you browser into the command below replacing the xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx in the example).

  Note the single quotes around the text.

  $ oathtool -b --totp 'xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx'
  263146
  $

  The command will generate a six digit authentication code, to set up two factor authentication all you need to do is to enter it on the web page and click on Enable.

  Make sure you download the backup codes and save them somewhere safe. Then
  confirm you have saved or printed them and click on ‘All Finished‘.

  Note – You should keep the key and backup codes somewhere safe, if they are lost or compromised you won’t be able to login.

  Verify that the backup codes work by entering the a backup code on the next page and clicking on ‘Verify‘ and you should be good to go.

  To test it works logout of WordPress and login again as normal.

  When prompted for the verification code run the command again to generate a new six digit verification code (you will need to use the same key as before).

  $ oathtool -b --totp 'xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx'
  730124
  $

  Use this new verification code to login.