Need a Clef alternative? For a long time, Clef was one of the most popular WordPress two-factor authentication plugins. It had an innovative product, well over a million active installs, and was just all around one of the best two-factor solutions for WordPress.
Then, in March 2017…disaster struck in the form of an announcement for the end of Clef. Yes, Clef is going away. While the service is still active at the time that I sat down to write this post, on June 6, 2017, it will stop working for good. That means the Clef app will stop functioning and your site will no longer be protected by two-factor authentication.
So…if you haven’t already switched, you need to move to one of the Clef alternatives on this list to maintain your site’s security with a fully-working two-factor authentication plugin.
To that end, I’ve put together this list of alternative two-factor solutions. While I’ll give you a bunch of options, I’m going to order them like this:
Plugins which best approximate Clef’s cool “scan the waves” method of authentication will appear at the top of the list. Then, as you move down the list, I’ll get into a couple of the more generic SMS-type alternatives.
Let’s jump in…
Best Clef Alternatives to Keep Your Site Protected
Below, you’ll find all of the currently available Clef alternatives, as well as one nifty upcoming Clef replacement from popular backup plugin developer UpdraftPlus.
1. Google Authenticator – Two Factor Authentication
This is my personal favorite plugin when it comes to two-factor authentication. The reason? Despite the name, this plugin offers tons of alternative authentication options.
Currently, you can run two-factor authentication via these methods:
- SMS
- Phone call
- Soft token
- QR code authentication
- Push notification
- Google Authenticator
While the QR code notification isn’t a perfect replica of Clef’s functionality, it does accomplish pretty much the same thing. To use it, you’ll need to install miniOrange’s app (the plugin developer) on your phone. Then, you can scan a QR code as a second authentication method when you log in to your WordPress site.
miniOrange’s plugin also includes the ability to Remember my Device, which lets you skip two-factor authentication for devices you commonly use. If you’ve ever banked online, you’re probably familiar with this type of functionality.
While the plugin is not 100% free, most of the authentication methods are free for one user. After that, you’ll need to pay based on the number of users you want to use two-factor authentication for.
And if you use one of the paid plans, you can also enable or disable two-factor authentication based on a user account’s role. So you can, for example, enable two-factor authentication for Admin accounts, but not for basic Subscriber accounts.
Best of all, the plugin has a button to help you quickly migrate from Clef.
Go to Google Authenticator – Two Factor Authentication
2. Keyy From UpdraftPlus
Ok, I’m cheating a bit because this plugin hasn’t been released at the time of writing this post. But UpdraftPlus is developing it specifically as a replacement for Clef, so I think it would be silly to leave it off the list.
Currently, Keyy is slotted to be released sometime in April, so you should have plenty of time to switch before Clef shuts its doors in June.
So far, UpdraftPlus hasn’t released much about Keyy beyond its name and that it’s aiming to act as “an opensource replacement for Clef”. But keep an eye out because more announcements should be coming soon.
3. Unloq Passwordless Authentication
Unloq is a relative newcomer to the WordPress authentication scene, which is why I didn’t place it at the top of the list. That is, don’t be shocked when you see that it only has 200+ active installs currently.
Because it’s new, I recommend a little caution before going all in on the plugin. But it does seem to offer the closest approximation to Clef’s functionality of any active plugin on this list.
Like Clef, Unloq isn’t so much two-factor authentication. Rather, passwordless authentication is probably a better descriptor. When a user tries to sign in, they don’t need a password. Instead, they just need to authenticate the sign-in attempt on their phone or email.
Currently, users can authenticate via:
- Push notification
- Time-based one-time password
4. Rublon Two-Factor Authentication
Rublon is a long-standing two-factor authentication plugin which we’ve mentioned on the WPLift blog before. It helps you add authentication in one of two ways:
- Via email
- Via phone and a QR code
While it’s not something I’ve personally tested, Joe reviewed Rublon back in 2013 and had positive things to say.
Go to Rublon Two-Factor Authentication
5. Google Authenticator
Don’t confuse this plugin with the previous plugin from miniOrange. They’re entirely different things. And this one doesn’t have nearly as many features.
Whereas the miniOrange plugin lets you implement a number of authentication methods, this plugin only lets you…implement Google Authenticator. No surprise there!
So is there any reason to choose this version over miniOrange’s plugin?
Yes – money! If you need two-factor authentication for multiple users (and are ok with using the Google Authenticator app), you can save some cash by choosing this free version over miniOrange’s paid, multiple user plan.
You can also enable or disable two-factor authentication on a per-user basis, which is a nice touch.
Just remember that you’re sacrificing some functionality in order to save money.
6. Wordfence Security
Wordfence Security is not just a two-factor authentication plugin. It also includes a bevy of more all-purpose security features. But one of the things it does do is make it easy to implement two-factor authentication via SMS or Google Authenticator.
If all you want is two-factor authentication, it’s overkill. But if you’ve been looking for a general security plugin anyway, it’s a nice option because it includes everything in one package.
Wrapping Things Up
Just because Clef is about to close up shop for good doesn’t mean you have to leave your WordPress site open to brute-force attacks. Pick one of these Clef alternatives, install it, and ensure that your site stays protected once June rolls around.
And if you need help for how to remove Clef from your site, Clef has written up a guide to help you deactivate Clef before you move on to another solution. Spoiler alert – it’s pretty much just deactivating and deleting the Clef plugin.
Now over to you – do you use Clef? If so, are you planning to move to another solution or just scrap two-factor? There are millions of Clef users out there – so I’m curious to see how the shutdown plays out!
