While WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ has supported two-factor authentication since May, today we deployedDeploy Launching code from a local development environment to the production web server, so that it's available to visitors. a new user interface for adding security keys and a handful of other improvements. 

Find your Two-Factor authentication settings

While logged in, visit your profile and locate the “Security” section. Click “support forumSupport Forum WordPress Support Forums is a place to go for help and conversations around using WordPress. Also the place to go to report issues that are caused by errors with the WordPress code and implementations. profile”. 

What are security keys and how can I set them up?

Security keys utilize biometrics, digital cryptography or hardware keys to provide an additional layer of security when logging into your WordPress.org account. They’re more secure than the one-time passwords found in many apps because security keys aren’t vulnerable to phishing attacks. Some popular examples are Passkeys and Yubikey devices.

Click on “Two-Factor Security Key” and follow the instructions provided.

Notes:

• Browsers and devices have varying support for security keys. Your experience registering a new key will vary.
• We currently default to using security keys over Time-Based One-Time passwords. We have a plan to make that configurable in the future.

What are Time-Based One-Time passwords and how can I set them up?

Time-Based One-Time Passwords (TOTP) are temporary codes generated by an authentication app on your device. They change every 30 seconds and are used in conjunction with your password to verify your identity during login.

Click on “Two-Factor App” and follow the instructions provided.

Generating Backup Codes

Backup codes are one time use codes that you can use when you don’t have access to the second factor security key or app you have configured. Regardless of whether you are using security keys or a Time-Based One-Time password, make sure you generate and print backup codes. If you lose your primary key/device and don’t have a backup code, you will lose access to your account forever.

What’s next

If you haven’t set up Two Factor authentication yet, now is the time to do so. If you run into any bugs or want to provide feedback please do so in the GitHub repository.

Thanks to everyone who has participated thus far!