If you have a WordPress.com blog, now is the perfect time to make your account more secure with our new two step authentication! Two step authentication (also referred to as two-factor authentication) requires you to enter a one-time secret code from your mobile device whenever you log in, after entering your password of course, which is hopefully a strong password (and you should consider changing that if it isn’t). This means that, with two step authentication enabled, an attacker would need to both know your password and have physical possession of your mobile device to gain access to your account.
All you need to use two step authentication at WordPress.com is an iOS, Android, or Blackberry mobile device (it doesn’t have to be a cellphone, but you do need to connect to the internet once to set it up). If you don’t have either, you can also use a cellphone capable of receiving text messages.
We’re looking into ways to bring our two step authentication system to self-hosted WordPress.org blogs soon, and you’ll see an announcement on the Jetpack blog when we’re ready. Until then, try the Google Authenticator plugin with your self-hosted blog.
You might be interested in two factor authentication from Twilio: https://www.twilio.com/docs/howto/two-factor-authentication
Twilio allows you to create messaging and phone / IVR apps in the cloud, so for 1 penny a message you can quickly add telephony to your apps. They have a PHP helper lib and an extensive gallery of sample applications. Some people have integrated it with WordPress, but I haven’t had direct experience with those implementations.
I am currently using Twilio in m apps and will be embarking on two factor auth soon, and would be very willing to share any insights I may gain.
We built our two step authentication solution in-house for better security. We’d rather not trust third-parties if we don’t have to.