We’re rolling out 2 Factor Authentication for GOV.UK Blogs

At dxw we understand the importance of security. The internet is a scary place and for our public sector clients security is always high on their priorities. Often the websites we create for our clients contain sensitive data.

Not getting hacked and keeping logins secure is a must to preserve this data and the reputation of the organisations we represent.

That’s why we’ve been excited that the Government Digital Service (GDS) have been taking the issue of WordPress security seriously and working with us over the last couple of months to develop and rollout a 2 factor authentication plugin (2FA) for WordPress.

A little about 2FA

Usually to login to a website admin you need one set of credentials: your username and your password. 2 factor authentication relies on users having something only they know (i.e a password) and also something they have (in our case a mobile phone).

Adding this makes it much harder for hackers to gain access to your WordPress account. Now they don’t just need a login but also a device that you own to break in.

Developing a great plugin focused on user needs

This WordPress plugin has been built with users in mind from the very start. There’s a few WordPress 2FA solutions available for WordPress, but none that could meet all of the user needs we uncovered with bloggers in government.

We made a prototype of the service with some basic functionality that after a two week sprint we were able to test with real users, getting immediate feedback on how the features we built were performing.

With some real user feedback in the bag after only a small amount of upfront work we could then enhance the plugin. One of the main issues with existing 2FA on WordPress is that it often relies on having a smartphone app to authenticate. For a 2FA plugin that will be potentially used by thousands of users across government we couldn’t rely on everyone having a smartphone. So to address this need we made sure that we developed an SMS alternative for users without smartphones.

One of the (many) great things about working with GDS is their focus on user needs as a core part of the services that they are responsible for. It was great being able to have the buy-in from the start to move in short two week sprints and build in testing and feedback from users. GDS were also kind enough to run past the wording for the plugin past some of their very skilled content designers, who helped to make user journeys as slick as possible and worded in a clear and accessible way.

What’s next

GOV.UK blogs will be rolling the plugin out to users on the blogs platform over the next few months. We’ll be working closely with GDS to make sure we continue to listen to user feedback so we can iterate our 2FA plugin. We’ll also be including the plugin as an added extra for clients on our Official-sensitive hosting package. To make things open we have even made our 2FA repository open on github so you can check out the code yourself (if you are so inclined).
Stay tuned for updates on this and other ways we are improving WordPress security.