this is a short & out of character post from me, to complain about the “2-step verification” process I just embarked upon with WordPress, as a warning to anyone else who decides to upgrade their security.
When I logged in to write a post earlier today, I had a notice on my WordPress account saying that I needed to upgrade security and inviting me to set up “2-step” account verification. I decided to do it, because at my previous work place, the website, hosted on WordPress, was hacked, so I thought it was probably a good idea to upgrade security. Lots of other online accounts now ask for a phone number as a back up in the case of losing your log in so that is nothing new. As with those online accounts, I thought that the “2 steps” would be required in the case of losing my log in or some unusual security breach – not every single time I log in!
However, after you go through the process and enter the security code that is sent to you, it is explained (when it’s too late to back out), that it’s not just providing a phone number for use in the case of needing to verify your account at some stage, the way you do for your eBay account, your Twitter account and a million other accounts. On WordPress, now that I’ve handed over my phone number it appears that I can no longer log in to my account without having my phone close at hand. I discovered this when I just tried to log in again now, some hours later, and after entering my user name and password as per usual, a new log in screen popped up, asking for the verification, which instantaneously arrived on my phone at the same time.
Now some people may not care about this extra step or what it implies, but I really, really hate this, for 3 reasons.
1. it adds an extra step to logging in, so now just my user name and password are not enough, I have to type another field in before I can log in. That seems a little bit backward to me. Even my bank is happy for me to log in with just a user name and password, so why the Fort Knox-style security around my blog?
2. I’ve been deliberately forced into needing to have not one, but 2 devices with me even if I’m writing my blog on my laptop, which is where I usually write – or even if I want to do a sneaky edit on the computer at work. Why should I have to do that? As a Generation Xer, I am not surgically attached to my phone, but more to the point, I resent being forced by WordPress to have to have my phone activated when I want to write, or read other people’s blogs and comment on them. This feels a lot like Facebook trying to force us to download its new Messenger App onto our smartphone, which will apparently invade our privacy like nobody’s business. (I won’t be downloading that App so if you message me on Facebook, you’ll have to wait until I’m at my laptop before I reply.)
3. is my suspicions about the reason for this ridiculously over-the-top “security”. My blog is not quite as high a security risk as the investment account of a major oil company. I am not writing posts about matters of international security, unless eyeballs and moustaches have taken on a significant role in international espionage that I was not aware of. How on earth does WordPress justify the requirement for me to have to enter a uniquely generated security code each time I log in to write a post on my personal blog?? The other option was to download a Google app, which I avoided by having the codes sent by sms instead, but this makes me suspicious that the whole “security verification” ruse is just a set up to glean more personal information for Google.
Of course, I could try staying logged in to my blog, I guess, it’s just that I also resent being forced into doing that. In my thinking, if a program is set up to manipulate you into staying logged in (ala your Google account where it’s soooooo hard to find where to log off!!), it’s so that someone can build a consumer profile on me based on everything I click on or search while I’m logged in. Unlike most people, I still try to remember to log out of most applications when not using them, just to cut down on the amount of targeted advertising, directly related to sites I’ve look at, that pops up in sidebars on websites and serves to remind me that “free” access to websites and open source software comes at a price.
I guess to some extent if I want to use the internet I have to accept that I’m being profiled and that targeted advertising will happen, but I resent WordPress introducing this extra step required to log in, that comes under the pretence of being required for security, makes it more tedious for me, and sounds likely to create a problem if/when I lose my phone.
Discerning readers will probably be asking a pertinent question at this point: if I need my phone in order to log into my blog, what am I supposed to do if I lose my phone? Good question, discerning reader. Well never fear, because in an astoundingly complicated system designed to alleviate any such concerns, WordPress have sent me a list of 10 “backup codes” that I need to “print out and save” and can use if I lose my phone. What I do after I’ve logged in 10 times (you need a new code each time) is not clear, and I know it can be frustrating waiting for a response from Wordpress Support, so I don’t look forward to that scenario.
So in brief, assuming I’m not the very last person to do so, I suggest that if you are as protective about your privacy as I am, you should consider holding off on upgrading your security to “2-step verification”. I’d genuinely love to hear from WordPress why that is required, and until I do, I remain unconvinced that it IS actually about security.
I’d also love to hear from any readers with advice about this 2-step verification process. What do you think? Have you found it a pain? Am I being an obstinate old goat by refusing to just stay logged in on my computer and allow Google to track the fact that every third post I write features the word moustaches?
As Goldfish said in a recent post, I’ve always been pretty happy with WordPress, and recommended WordPress to others for blog hosting until recently. Some of the changes they make to functionality are irritating, but this new 2-step security verification is too over the top for me. I kinda thought WordPress had a community ethos, but suddenly I feel like a pawn in a deliberate information-gathering ploy which is only for the benefit of WordPress – or possibly some other large multinational business partner – but not me. Dislike.
**Update: (about an hour after writing this post). Yes! Just what I was hoping for – the lovely Draliman responded almost immediately with advice on how to turn the 2-step verification off – something that I couldn’t find by searching the WordPress Support page or help forums. I knew it would take days to get a response from WordPress if I posted a question on the support page, so in the heat of the moment, I thought I’d try my luck with putting it out to all you lovely readers. For anyone else who doesn’t like 2-step verification, check out Draliman’s comment below to find out how to turn the pesky thing off.