Passwords can be guessed or even cracked by determined attackers. One way to help protect account access is to use an additional authentication method other than a password. This is known as Multi-Factor Authentication (MFA), also commonly called Two-Factor Authentication (2FA).
The additional method (also called a “factor”) recommended for WordPress is the use of a software “token.” One option is to implement the Google Authenticator plugin and the Google Authenticator mobile application.
When a user attempts to log in, they will be prompted for their username and password, plus a 6-digit pin number. This pin number is a continually-changing key produced by Google Authenticator app on the smartphone that only the account owner has access to. If the account password is stolen, an attacker still will not be able to access the user’s account unless they also have the user’s smartphone.
After the module is installed, each user can enable Google Authenticator in their WordPress User Profile. It’s important to note that, even though this is a Google product, no data is being transferred to Google services. This method of Multi-Factor Authentication works using a cryptographic key exchange that doesn’t require any central server to function.