Authentication has a history as long as civilization. As populations grew, people needed ways to confirm their identity, whether via the use of seals, names, signs or force! Back in the day when computers were first being made, authentication was still a big concern. As it is with so many issues in our world, multiple solutions were developed to address this concern. Identity cards (such as ATM cards) and passwords became popular, so much so that they became the quintessential form of authentication. Later, in the internet era, passwords become so essential that it’s hard to believe there are other ways to authenticate. But are passwords secure enough?

Security and usability are two big concerns when it comes to authentication. When using the internet, you can’t show your passport or identity card to enter a website, right? So far, the most usable authentication method on the internet has been using a username and a password. The username is a public form of identification, while your password is something that only you should know. It seems perfect, right? But no, it is not perfect. Perfection is an illusion in online security. There are many issues with passwords. Many users may forget theirs. Many will use weak passwords. Many may even share their passwords with the others, further endangering their security. This is why the classic method of authentication via usernames and passwords is not sufficient to ensure our safety online. 

But what can we do about it? Perhaps it’s time to say goodbye to old-fashioned passwords. In this article, we are going to review the top WordPress login authentication methods available in 2021. One thing that all authentication methods have in common is they allow the owner of a site or account to authenticate their identity. So, we are actually reviewing the processes that allow you to authenticate your identity.

oAuth

OAuth is an authorization method that uses APIs to authorize you to use third party services on different platforms. The benefit of this  is that it can be used to authenticate you as the “owner of a verified user account on that third party platform”. For example, you have a Google account, you use it everyday and you have your own authentication methods such as device confirmation or two factor authentication to access the account. When you want to use another service using oAuth, it will redirect you to your Google login page instead of the third party login page. When you log into your Google account, oAuth will create an access token which will be sent to that third party website, and that token then confirms your identity as a verified Google user. This way, you won’t have to store any password on the third party website.

This comes in handy when you are creating a community-based website. Users often don’t like registration forms. So, this form of authentication is one of the best ways to achieve both security and usability at the same time. Nextend Social Login and Register by Nextendweb is one of the most popular and easy-to-use plugins connecting users with popular social websites. However, you may need to customize your login page and fields, and you may even want to add additional steps to the registration process. In this case, Ultimate Member and its great Social Login add-on will come handy.

Popular plugins providing this method for your website include:

• OAuth Single Sign On – SSO (OAuth Client) by miniOrange
• Login by Auth0 by Auth0

FaceID

Since it requires an Apple account, a large number of people automatically cannot use this method. FaceID is a technology that was introduced by Apple to provide an easy and secure way to unlock Apple devices. It uses face recognition to authenticate users. Although many were initially concerned about the security risks of people using masks and printed faces, nowadays FaceID is seen as a reliable method of authentication. In Oct 2020, the official WordPress blog announced the PasswordLess WP project that uses the Webauthn.io method to authenticate using FaceID and a few other methods. Although face recognition authentication is not limited to this plugin, it can be considered as one of the top WordPress login authentication methods of 2021. Time will tell how popular it will be and if it has a future or not.

On their official WordPress plugin page the developers wrote:

“The Web Authentication API (also known as WebAuthn) is a specification written by the W3C and FIDO, with the participation of Google, Mozilla, Microsoft, Yubico, and others. The API allows servers to register and authenticate users using public-key cryptography instead of a password.”

There are other plugins that have been introduced recently that do the same job while offering  additional features. Generally, the number of active installations for such plugins are few, but that doesn’t mean they don’t have a chance to grow. These methods are still new and need to be seen by the community to improve. 

Some plugins representing this feature include:

• Logintap API by Pavel Svinarev
• WP-WebAuthn by Axton
• Skytells Guard – All-In-One Security Pack by Skytells, Inc.

Fingerprint

More and more mobile devices these days come with a fingerprint scanner. It’s actually one of the most secure ways to authenticate ever invented! However, not everyone out there has the proper device to use it. The good thing about this option is that it can use any fingerprint scanner, including external fingerprint scanners that are not attached to any mobile device. 

One of the concerns of using such methods is storing biometric information in a database. Well, you shouldn’t be worried at all. No biometric information will be stored on any of your websites . The device will confirm your identity, then it will send a token to the website and grant permission to log in. So, it won’t store any biometric data, such as your fingerprint, on the website.

Like the FaceID method, it also works with the newly introduced PasswordLess WP project. However since this method is a little bit older, it requires more plugins to function. Actually, some of the plugins are outdated and are no longer maintained. But here are the newly released plugins offering this login method:

• Biocryptology Login by Biocryptology
• RapID Secure Login by Intercede
• Keyy Two Factor Authentication (like Clef) by Nex.ist

SMS authentication

Almost everyone has a cell phone these days. Not all cell phones are smart and have enough sensors and hardware to be used to protect our online security. However, if we consider the owner of a SIM card linked to an online account as the right person to confirm user identity, we can rely on SMS authentication. The method works like this:

While attempting to login or register on a website, you can simply input your phone number. The website will send you a confirmation code via SMS and you type the confirmation code into a box and, shazam! After confirming the code, you are authenticated as that phone number owner. This is a very reliable method, and is so popular these days that it has lots of free and premium plugins. It’s not something new, yet it can be considered one of the top 5 WordPress login authentication methods available in 2021. Every day, more and more websites opt for this method. Although many websites use this as a Two Factor Authentication method and an additional way to recover passwords, it’s also a secure substitute for old-fashioned passwords. 

When it comes to SMS authentication, Digits is king. Digits is a premium WordPress plugin compatible with many community plugins. It makes it possible to override the default WordPress login and registration forms. You know, a lot of WordPress plugins use emails as core information, and because of that, they require users to register using an email address. Digits can provide a way so your users can register WITH or WITHOUT an email address, and that is awesome!

Be aware that using SMS authentication requires an SMS gateway, which may involve some  expenses. But most of the time, it’s worth paying to gain more users. A lot of users don’t know how to use email (it’s a fact) but they probably have a cell phone and are capable of using SMS. Replacing emails with SMS as a way to authenticate users can be considered as a good strategy to gain more users. Digit has 145 active SMS gateways supported. Here are some other SMS login plugins for WordPress. Generally, it’s the most popular alternative for the current WordPress login platform. 

• OTP Login Woocommerce & Gravity Forms by XootiX
• Google Authenticator – WordPress Two Factor Authentication (2FA , MFA) by miniOrange
• Orion Login with SMS by Imran Sayed, Smit Patadiya
• FireMobile – WordPress & WooCommerce firebase mobile OTP authentication (Premium)

Device authentication 

We are actually using the device authentication in all the previous methods explained. But mighty mobile devices have more ways to amaze you with authentication. You might be familiar with the word OTP. OTP stands for One Time Password and is mostly used as an additional login field to provide more security. But what if you could guarantee that the OTP was secure enough on its own? Would it make a good replacement for permanent passwords? The answer would differ depending on the platform you are using, but most of the time it is a YES. 

Similarly, I read about an authentication method that uses cryptocurrency wallets. Imagine using the security of a blockchain system for your WordPress. Although a lot of BlockChain token generators exist to secure your login, only a few are already integrated with WordPress. We’re likely just scratching the surface of the future of blockchain authentication methods. EthPress plugin uses the WalletConnect API to login via blockchain wallets. It only uses devices where the wallet apps are installed.

To login with WalletConnect API, the plugin generates a token on the website, then it allows you to scan it using your wallet app. If the wallet app confirms your identity, it will send the confirmation to your website and your authentication will be approved. This is very secure, but again, not all people have a wallet app installed on their device. 

If you search for “blockchain OTP generator,” you will see that it is still in development and has a long way to go.

There are dozens of OTP generator apps available to install on your device and provide a token for your login. Not all of them can be used on your WordPress website, but it’s worth checking their availability since they offer a secure way to log in. Google the term “OTP generator app” to see how many you can find. As mentioned above, OTPs are usually used to add more security to login pages, so you may consider them as an additional two-factor authentication method to your website. More details about this can be found in this article by my colleague Mac. 

Wrap up

At its core, authentication involves showing something, such as a token, to someone to prove that an account belongs to you. This process can be made more secure if you can be verified as the sole owner of that token. Registration fields are taking those “tokens” from you and login fields are there to check those “tokens” whenever you want to use a service. Based on this concept, many authentication methods are available, from the ones mentioned above and beyond. In this post, I wanted to share with you the top 5 WordPress login authentication methods available in 2021. You may also consider searching for the JWT login authentication method as well, as that is missing from our list but is worth checking out. Please share your comments and questions below in the comments.