Clef’s Dead, Now What? 4 Free Two-Factor Authentication Alternatives

Clef’s Dead, Now What? 4 Free Two-Factor Authentication Alternatives

The Clef plugin made logging into WordPress easy and more secure thanks to two-factor authentication. But it was recently announced that Clef is sunsetting and now users need to find an alternative.

So what the fudge are we supposed to do now?

Two-factor authentication for logging into WordPress meant you didn’t have to fumble trying to remember all your passwords. It also helped protect you against phishing and brute force attacks since a hacker couldn’t just guess or enter your password to gain access to your site. They would also need access to your smartphone.

If you manage a WordPress site or even several for clients, beefing up the overall security of a site is a no-brainer. Most users know how to strengthen passwords, but a tougher way to crack down on phishing and brute force is two-step authentication.

So here are four excellent and free alternatives to Clef that are updated regularly that you can install on your WordPress site and start using today.

  • Defender

    WP Defender security plugin

    Defender is a one-stop-shop for securing your WordPress website. Not only does it have a ton of features such as security tweaks, file scans and full reporting, but it also has two-factor authentication.

    It’s MultiSite-compatible and uses the Google Authenticator app available for iPhone and Android devices to ensure it gives your site superhero-level protection.

    It installs like most other plugins in the repository and in minutes, your whole site can be secured from top to bottom, inside and out.

    Once you enable two-step authentication as the site or super admin in a couple clicks, you can choose which user roles are required to enable and use this security measure.

    When that’s all done, users can visit their profile editing page in the admin dashboard to turn on this feature and get a QR code. From there, they can scan it using the Google Authenticator app on their mobile device and complete the setup. It takes about a minute.

    The plugin also blends seamlessly into your site’s login page. When a user enters their login credentials, a similarly styled form loads where they can enter the secret security key provided by the Google Authenticator app.

    It’s free for unlimited users. If you want additional options, you can get the premium version free using WPMU DEV’s 30-day free trial.

  • Unloq

    Unloq plugin

    Unloq is an excellent alternative to Clef since you also don’t need to enter a password once the plugin is installed on your WordPress site. Once you have signed up for a free account on the Unloq site and the plugin is set up, your WordPress login password field is replaced with an Unloq button. When you click it, you get a notification on your phone through the Unloq app with the IP address and location of the attempted login, the account username, as well as a button to either approve or deny the login.

    If you don’t have a smartphone or you don’t have it nearby, you can still get two-factor authentication through time-based one-time passwords (TOTP) and email login.

    If you require assistance migrating from Clef, the Unloq team is also willing to help you out.

    Unloq is free for up to 100 users. There are also a lot of useful features for WordPress developers who manage client sites, such as the ability to white label the Unloq app so you can offer two-factor authentication as an added service.

  • Google Two-Factor Authentication

    Google Two-Factor Authentication

    Google Two-Factor Authentication plugin also doesn’t require the use of a password and works with the MiniOrange app so it’s a suitable alternative to Clef, though, it’s free for only one user. When you log in, you have the option to do so by using your username, password and Google two-factor authentication or your username and Google two-factor authentication.

    If you’re migrating from Clef, there are six quick setup steps to get a comparable two-factor authentication service to Clef:

    1. Install the plugin like you would most others in the WordPress repository
    2. Verify your email
    3. Select the QR Code Authentication method
    4. Install the MiniOrange Authenticator app on your smartphone
    5. Scan the QR Code from the plugin page to the miniOrange app
    6. Configure the plugin to your specific needs

    If you decide you want to upgrade to premium, there are many other types of two-factor authentication you can choose from including SMS, phone, email and push notifications.

    Interested in Google Two-Factor Authentication?

  • Google Authenticator

    Google Authenticator plugin

    This plugin is by far the most popular for Google Authentication. Like Clef, it offers two-factor authentication, but it’s different because it utilizes the Google Authenticator app. If you have two-factor authentication enabled for your Google, Amazon and Dropbox accounts, for example, you already have this app installed so it’s a convenient option in this case.

    Once the plugin is installed and set up, you can scan the given QR code with your smartphone and follow the instructions for creating a profile in the Google Authenticator app. When you need to log in, you can go to the Google Authenticator app and copy the code into the extra field on the login form to sign in.

    If you don’t have a smartphone or you don’t have access to WiFi or data on it, you can log in with the web-based version of the app.

    It’s a solid plugin that’s updated consistently. When you’re setting it up, be sure to check that your web host can provide accurate time information. Otherwise, you would get locked out of your site. However, you can remove the plugin by deleting its folder in the /wp-content/ directory via FTP or SSH to regain access to your admin dashboard.

    Interested in Google Authenticator?

  • Duo Two-Factor Authentication

    Duo Two-Factor Authentication plugin

    The Duo Two-Factor Authentication plugin has many options for logging in. There are passwordless options as well as one-time password options and you can also decide which one you want to use on the fly for your convenience.

    Once the plugin is set up and you have signed up for their service for free, there are several different ways you can log into your WordPress site:

    • With one-tap using Duo’s mobile app, which you can also install on your smartphone
    • Via a one-time passcode generated by Duo’s mobile app (works even if you don’t have cell phone coverage)
    • A one-time passcode delivered as an SMS message (also works with no cell phone coverage)
    • With a phone call to any phone including mobile or a landline
    • Via a one-time passcode generated by an OATH-compliant hardware token

    It’s free for up to 10 users and you can also choose who is required to use two-factor authentication to log in based on WordPress user roles.

    Interested in Duo Two-Factor Authentication?

Wrapping Up

There’s no need to worry about what you’re going to do now that Clef is no longer an option. In fact, you have four suitable and solid alternatives to Clef for two-factor authentication on your WordPress login forms.

No matter which one you use, you can rest easy knowing your sites and your clients’ sites are that much safer from phishing and brute force attacks.

For more details on beefing up WordPress security, check out some of our favorite security posts:

Did you use Clef? Would any of these options work for you and how did they fair? What plugin do you use for two-factor authentication if any? Feel free to share your experience in the comments below.
Jenni McKinnon
Jenni McKinnon A copywriter, copy editor, web developer and course instructor, Jenni has spent over 15 years developing websites and almost as long for WordPress. A self-described WordPress nerd, she enjoys watching The Simpsons and names her test sites after references from the show.