2FA SMS Message Updated

We have updated the format used for Two Factor Authentication SMS messages. The new format adopts a proposal from the Webkit team to standardize the message format used for delivering verification code and aims to add more context and clarity to the messages (as well as support future “auto-fill” capabilities across browsers).

Old format:

The verification code you requested is: 123456

New (standardized) format:

123456 is your Example Marketing verification code.
 
@example.com #123456

In the example above, “Example Marketing” is the Site Title of your website. Messages for multisite subsites will reflect the Site Title and Site URL of the subsite, not the parent site.

This message format is now deployed to all VIP Go sites.

If you’re interested in learning more, please visit our Two Factor Authentication documentation or get in touch.

GitHub Two-Factor Authentication

This notice relates to the following platforms: VIP Go

On Monday, April 17, 2017, we will be requiring Two-Factor Authentication for all VIP Go repositories hosted on GitHub.

Please make sure that you and your team have enabled Two-Factor Authentication for your GitHub account prior to April 17. After the date, any accounts without Two-Factor Authentication will lose access to the wpcomvip organization, where all VIP Go repositories are hosted, including all read/write/admin privileges.

If you have any questions or concerns, please get in touch and we’d be happy to help.

Update (2017-04-17 11:00 ET): Two-Factor Authentication is now being enforced for all VIP Go repos. Thank you to all users who took the time to enable it for their accounts. If you were unable to enable and still need access, please get in touch and we’d be happy to help set up 2fa and restore your access.

Forcing Two-Factor Authentication on WordPress.com VIP

This notice relates to our customers hosted on WordPress.com VIP. VIP Go sites are not affected.

Keeping your sites secure is one of our top priorities. One of the ways bad actors attempt to compromise sites is to use the credentials of privileged users that may have had passwords leaked as part of a hack on another service.

Using unique passwords is one way to protect against this but another is two factor authentication (2FA). 2FA helps to verify that the person attempting to login is the actual user, and not an attacker.

To help you protect your sites from this type of attack, we’re introducing a policy of forced 2FA for all users with the ability to publish on WordPress.com VIP.

From 6th March any newly created users on a VIP site will be required to have two-factor authentication enabled in order to publish.

From 7th April all users with the ability to publish on a VIP site will be required to have two factor authentication enabled.

The change means that users without 2FA enabled will see a “Two Step Authentication is required to publish to this site” notice at the top of their admin screens.

2fa-required

For these users, instead of a Publish button, they will only see a “Submit for Review” button.

submit-review

Any users requiring the ability to publish should follow the instructions to enable two factor authentication on their account.

Some users have asked about options for two factor authentication without the use of a mobile device. Authy offers desktop applications that could be used in conjunction with our support for using an authenticator app. You may also be able to set up SMS delivery of two factor codes via VOIP services like Google Voice or Skype, though delivery may not be reliable in all areas and should be tested thoroughly before relying on it.

If you have any questions about this policy, please open a support ticket and we’ll happy to help.