I set up two factor (or two step or 2FA) authentication on my WordPress.com account yesterday. It’s an extra layer of security: anyone trying to gain access to your account wouldn’t get in even if they found out your user name and password. That’s because you enter something you know (password) and something you posses – such as a code sent to or generated by your mobile phone.
WordPress uses the Google Authenticator Android and iOS smartphone app, as well as some other options.
I found it very easy to set up. But when I tried to access my WordPress.com account on my mobile devices, I ran into difficulties.
What I hadn’t realised is that the Google based two step auth that WordPress uses doesn’t (currently) work seamlessly on mobile devices, even Android ones. Or put another way, you need to follow a different route to setting it up to work on your Samsung Galaxy S5, iPhone or iPad. You need to log in to your WordPress account and generate an application specific password for each device. Once you’ve done this, WordPress treats your phone as a trusted device, which means you don’t have to do this again. (You can switch off access remotely if you ever lose your phone.)
To do all this, go to the setting page of your account, and click on the security tab. You can switch on two factor auth here, print back up codes and generate application specific passwords. This is where you’ll find which devices you have set up access for, and revoke access if necessary.)
Incidentally, you’ll need to follow a similar process if you apply two factor authentication for you Google accounts, such as Gmail.
You can find more info on WordPress’s support pages.