I recently took the advice of WordPress.com and enabled two factor security for my account. I’d highly advise everyone else to do the same.
There is a general principle in the security community that there are three principle factors that can establish your identity: “something you are”, “something you have”, and “something you know”. For most use cases, any single factor is usually considered sufficient, perhaps with a variation or a second used solely as a backup. A password is “something you know”. So is your typical account recovery security question.
For enhanced security, a system can require that two of the three factors play a role in granting access. Google supports this method. And recently, so does WordPress.com.
The second factor is generally provided by a cell phone or similar device, which qualifies as “something you have”.
It can work through sending you an SMS message containing a code to include when logging in. It can also work from a printed list of one-time use codes you can print, trim, and carry in a wallet. But the slick way is to use the Google Authenticator app, which generates a sequence of 6 digit codes, two per minute. Once set up, logging in to WordPress.com from a new PC is as simple as providing your username and password as usual, then when prompted enter the code from Authenticator.
Once two factor is set up at WordPress.com, applications which depended on a password such as my posting script (and WP’s own Android app) will no longer work. To enable them, you need to log in to WordPress.com in a browser following the two factor protocol, and then go to your Account Security settings and add an Application Password.
While this password still allows full access to your account and all connected blogs, it is also easy to disable if you fear that teh safety of your app’s configuration has been compromised. Just return to the Account Security page, and you will find a list of the individual application passwords you have created, and a button next to each to remove it.