Reading Time: 4 minutes

I have been fiddling with my multi-factor authentication, probably more than I should. I had been using Duo Mobile on Android. Then my workplace required me to add the Akamai app because they use Akamai. I wrote about this a few months ago, because I had been playing with the Microsoft Authenticator. But I only got halfway off Duo Mobile, to Microsoft, and then found that I had to keep Duo because I had an account that required it. This has forced me back to Duo Mobile but gave me a chance to update my WordPress Duo authentication.

As I mentioned in that last post, I am not a fan of corporate endpoint security mandating a specific authenticator. There are so many good authenticators and I would like to have some flexibility in my choice.

Multi-Factor Authenticators

It means that, in the last few months, I’ve tried the Duo Mobile, Microsoft, and Akamai authenticators. There’s not a lot of difference between them but Microsoft had a couple of nice extra features.

If you’re a Google account user, you may have experienced them using your device as your second factor. With Google prompts, instead of a password, your phone displays a screen to confirm that you are accessing a site. I like this option better than SMS text messages but less than an offline authenticator app. Google has an authenticator app too but I’ve pretty much dropped any Google product due to their extractive focus on personal data.

Duo Mobile is a plain vanilla authentication app. You can create new entries using either a QR code or typing in a code given to you by the site you’re trying to secure. Like most authenticators, there’s no way to organize the 2FA entries, other than to manually move them up or down. I have slowly gotten use to just using the search function. Duo is also pretty basic when it comes to icons or color-coding, so I make sure to label each entry when I create it as clearly as possible, to make it as searchable as possible.

I use 2FA for every account that offers it, and use the authenticator app whenever that’s an option. I am still amazed at how many sites only offer SMS or text-based codes. But I’ll secure any account that has reputational, financial, or private information (like healthcare) risk associated with it.

Microsoft Authenticator blends a bit of Google with Duo. You can create MFA entries with a QR code or manually. There is a better match between the website icon to which the entry belongs and the entry, but otherwise you can re-order and search the same in all of these apps.

If you’re a Microsoft Office or 365 user, the Microsoft Authenticator will also do a phone-based prompt instead of requiring a password. Since I am on 365, this seemed like a great addition. It was one of the features that tipped me over to using the Microsoft app.

There was one weird behavior in the Microsoft app. In all of the other authentication apps I’ve used (Akamai, Google, Duo), when you open the app, it usually gives you 30 seconds to use the code. In the Microsoft one, it’s running on its own clock. So there are times when you generate a code and you have only 3 seconds, and the next time it’ll be 19, and the next time it’ll be 30. This was frustrating because sometimes you had to wait for the new code to be generated if you weren’t quick enough to enter the first code.

For a brief moment, I considered whether Bitwarden would work for my two-factor resource. There’s a mobile app, desktop app, and a web browser version of the app and I’m using it already for my password management. It’s a premium option, though, and it would only be a good option if I wasn’t tied to any other 2FA app. Which I am.

A screenshot of the Bitwarden password manager web app, showing a new item screen. There is an option for one-time passwords (OTP) in the center.

Also, I’m not entirely clear how it would work. There is no visible access point for multi-factor within the Bitwarden Android app. So if this is a web-only feature, it seems like not a great way to ensure you have access. The best case for multi-factor is an offline resource, like a hardware key or a device-based code generator. Anything that’s web-based or text (SMS)-based is sub-optimal.

n the meantime, I have swapped jobs. The need for the Akamai 2FA app is gone. The requirement for Duo remains, so I have returned to it and dropped the Microsoft Authenticator. It led me to checking back on the WordPress Duo security plugin.

Duo Mobile for WordPress

As part of my move away from Duo and to Microsoft, I had decided to drop the Duo plugin from this WordPress site. I had been using the Duo push—which is a verification via the app rather than the generation of a code—for my website login.

One of the things that first attracted me to Duo was the free security dashboard option. If you use the WordPress plugin, this is a nice management tool for a small website or organization. You can manage up to 10 users on the free plan and each user can have multiple devices. If you’re running a small organization, you can use it to manage multi-factor access for your staff. This allows you to set a policy (like requiring every user to have 2FA) and to monitor access by devices that use Duo. You can even un-enroll users if, say, staff leave your office or people should no longer have access.

A screenshot of the Duo Security dashboard access log. It shows information like when the WordPress Duo login is accessed, from where (including IP address, that I’ve removed from the image) and user name

But the Duo Mobile plugin was reaching end of life and I was concerned that it was going to become unsupported. In fact, they had released a replacement and I just hadn’t understood how it worked. The Duo Universal plugin will provide the same functionality, but you have to set it up a bit differently.

This foxed me the first time. I had already created my application in the Duo Security dashboard, since I’d signed up for the free service. I think that my original use of the plugin probably drove this subscription to Duo Security. Like many web-based apps, you need a client ID and information to access the Duo API.

Once you’ve installed the Duo Universal plugin, the configuration is not hanging off a Tools menu, which is normally where I look. Instead, it’s buried in the Site Settings, and you just scroll down to the section on Duo Security. I run a multi-site WordPress installation, so this Settings menu is at the top of the WordPress installation, and not within my blog (or other individual) site.

A screenshot of the Settings for a WordPress multi-site implementation. This section reflects the Duo Security section, including the area for the Client ID, Client Secret, and the API hostname. This information is all available from your Duo Security dashboard.

If you have been using the older Duo Security plugin for WordPress, you will see in your Duo Security dashboard that your plugin needs to be updated. Once you have migrated to the Duo Universal prompt, it will show that the site is up to date.

A screenshot from the Duo Security dashboard showing the application configuration.

In a way, my departure from Duo Mobile a couple of months ago—and the replacement of the Duo login plugin with the built-in Wordfence 2FA function—made this all much cleaner. Once I realized I was stuck with Duo on my phone, I didn’t have anything to clean up on my website. I could just add the Duo Universal plugin and configure it.

I had to disable the Wordfence multi-factor authentication before making Duo my login device for the website. Otherwise, I’d still get the Wordfence 2FA prompt upon logging in (or whatever might happen if you have two plugins that collide).

Time well spent. I moved all of my multi-factor codes back from Microsoft, deleted the app (and the Akamai) and have settled back on Duo products for my phone and website. Re-setting all of the codes never takes as long as I think it will. In some cases you have to turn off two-factor and turn it on again. In some cases you have a reset function that just over-writes the previous multi-factor. All in all, it was time well spent. I will no longer have to remember which multi-factor app has the right code on it.