A few months ago, I enabled two-factor authentication for WordPress.com. There are a number of reasons I did so. For one, at Range, we sometimes work on WordPress VIP projects, where two step authentication is recommended for about anything that could interact with those projects (.com, email, etc). Second, it was required for me to participate in a Jetpack Beta Group Blog I was asked to join.
For those unaware, two step authentication basically requires you to utilize both a password and a method for assuring that it was really you who used that password. Most of the time, this is handled through a phone or other device that only you would have on you. So if your password is hacked, the hackers doesn’t have the periodically regenerated key from your phone’s two step authentication app, and your account remains protected.
Enabling two step on WordPress.com is pretty easy. Once you are logged in on WordPress.com, you can go to Settings > Security to set it up. You simply toggle the option, give it your phone number, and install an app like Google’s Authenticator on your iPhone or Android.
Now, when I log into any WordPress.com account (Jetpack, Gravatar, and other entities included), I simply enter the code from Authenticator in addition to my normal password. Easy peasy.
Except all of a sudden, I couldn’t sync Jetpack within the WordPress iOS app. I just let this go for months, but it drove me crazy. I love looking at my stats on my phone (I’m obsessive like that). So finally I took the twelve seconds to ask the Jetpack team on Twitter. Always responsive, they helped me out quickly:
— Jetpack (@jetpack) February 19, 2014
Aha! I didn’t notice it when I initially enabled two step, but if you want to access your WordPress.com accounts (or importantly in my case, Jetpack), you have to create an application on the same WordPress.com Security Settings screen and use that as your new Jetpack password.
All that time I thought I had just somehow stored the wrong password in 1Password (another great app for secure password best practices) and in fact it was right but I never enabled my device to access the account.
Hopefully this helps someone else out there in the internet looking for help getting properly setup across devices with two step authentication.