Skip to main content
Last Reviewed: July 21, 2022

Secure Your Site with Two-Factor Authentication

Set up two-factor authentication on your Pantheon Drupal or WordPress site as an added security measure.

This section provides information on how to use Two-factor authentication (TFA) to keep your sites secure.

TFA is a security practice that requires your website users to provide a secondary form of authentication in addition to their standard username and password.

The two most common methods of secondary authentication are:

  • SMS messaging

  • One-time code generated via an application on a user’s mobile phone

More advanced methods are also available, including:

  • Biometric information

  • Location through GPS

  • Hardware tokens

For more information, see Multi Factor Authentication in Drupal Watchdog and Two Step Authentication on

Benefits of Two-Factor Authentication

Two-factor authentication is a helpful security practice because it prevents attackers from compromising accounts by requiring an extra authentication method beyond a username and password to log in. This is important because standard password access can be easy to bypass if the user:

  • Has a simple password that's easy to guess

  • Is observed typing in their password

  • Has used their password on another site that becomes compromised

By requiring a second form of authentication (especially one tied to a physical device like a mobile phone or a USB key), would-be attackers not only have to compromise a user’s password, but also their mobile phone or physical USB key, which makes the attack more difficult.

Single Site TFA

There are many different WordPress plugins for two-factor authentication that can provide TFA capabilities for a single site. A popular plugin is Duo Two-Factor Authentication, which makes it easy to set up two-factor authentication on your WordPress site.

  1. Sign up for a Duo account.

  2. Log in to the Duo Admin Panel and navigate to Applications.

  3. Click Protect an Application and locate WordPress in the applications list.

  4. Click Protect this Application to get your integration key, secret key, and API hostname.

  5. Install and activate the Duo Two-Factor Authentication plugin on your WordPress site. You can do this through the WordPress admin panel, or with Terminus:

    terminus remote:wp $ -- plugin install duo-wordpress --activate
  6. Open the settings page for the Duo plugin, then configure Duo with your integration key, secret key, and API hostname from the Duo WordPress application you created earlier at

    TFA Duo Configuration

  7. Click Save Changes. The page will be automatically redirected to the Duo setup wizard.

  8. Follow the on-screen instructions to configure an authentication device to your site and test it. Your browser will be redirected back to the plugin settings page after the configuration is complete.


Duo configuration settings and keys are stored in the database. To avoid setting up new keys for each environment you can:

  • Synchronize and import your database

  • Use a tool like WP-CFM

  • Keep the new application page from the Duo Admin panel open, and reenter the values for each environment

Organization TFA

There are many different organization-wide WordPress plugins for single sign on that can provide TFA capabilities. One of the service options we use internally at Pantheon is OneLogin, which has the OneLogin SAML SSO plugin.

OneLogin Instructions

  1. Sign up and create a OneLogin account for your organization.

  2. Install the WordPress SAML 2.0 app connector as part of the OneLogin dashboard (you need administrator privileges to install apps). This must be done for each WordPress site that is being managed by OneLogin.

  3. Edit the OneLogin WordPress app connector to provide the appropriate default values for the Configuration section. Other sections should already be set up correctly.

    TFA OneLogin Config

  4. (Optional) Configure the Authentication Factors found under Settings for a list of authentication factors you can enable for your different users.

    TFA OneLogin Methods

  5. Create user accounts in the Users Administration area of OneLogin.

  6. Click New User and verify that the “Username” and "Email" fields in OneLogin match their WordPress username and email.

    TFA OneLogin New User

WordPress Instructions

  1. Install and activate the OneLogin SAML SSO plugin on your WordPress site.

  2. Configure the Identity Provider Settings section in the SSO/SAML Settings within the WordPress Admin to provide the appropriate values, which are available in the SSO section of the OneLogin Configuration page.

    TFA OneLogin Ident

  3. Configure the Options section (optional) under the SSO/SAML Settings:

    • Select the Create user if not exists checkbox if you want users to be auto-created.

    • Select the Keep Local login checkout if you still want to use the normal WP login form, otherwise you will always be using OneLogin to authenticate.

    TFA OneLogin Options

  4. Populate the Attribute Mapping fields below in the SSO/SAML Settings of the WordPress Admin. Values are case-sensitive.

    • Username
    • E-mail
    • First Name
    • Last Name
    • Role

    TFA OneLogin Attributes

  5. Configure the Customize Actions and Links in the SSO/SAML Settings of the WordPress Admin to Prevent use of ?normal. This requires OneLogin as the authentication solution.

    TFA OneLogin Custom Actions

  6. Use the OneLogin dashboard to log in to your WordPress site.

    TFA OneLogin WP Login


    You can also refer to OneLogin's documentation, Configure SAML for WordPress, for further troubleshooting. You will need a OneLogin admin account to access their knowledge base.

Pantheon Platform TFA

Log in with Google

The Pantheon Dashboard offers social login with Google, which can be configured to use Google TFA:

Connect with Google


We recommend adding an SSH Key to authenticate yourself on Pantheon for operations such as SFTP connections, which allows for more security than a simple password. If you've registered via social login (Connect with Google) and you'd still like to add a password to your account, logout and visit

Single Sign-on for Orgs

Single sign-on (SSO) allows users to authenticate against your Identity Provider (IdP) when logging into the Pantheon Dashboard. For more information, see Single Sign-on for Pantheon Organizations.

More Resources