At WordPress.com VIP, we require that you enable two-step authentication for your WordPress account if you are an administrator, have SVN access, or have publishing capabilities.
Keeping your sites secure is one of our top priorities. Passwords are the de-facto standard for logging in on the web, but they’re relatively easy to break. Even if you create strong passwords and change them regularly, a data breach can leak them. Two-step authentication is a method of securing accounts that requires you not only know something (a password) to login, but that you also possess something (a mobile device).
The benefit of this approach to security is that even if someone guesses or obtains your password, they need to have also stolen your mobile device in order to break into your account. One of the ways bad actors attempt to compromise sites is to use the credentials of privileged users that may have had passwords leaked as part of a hack on another service. Two-step authentication makes it dramatically more difficult for accounts to be compromised.
Please follow these instructions to enable two factor authentication on your account, either via an authenticator app or via SMS, for their WordPress.com account. Although both options are available, we would highly recommend the use of an authenticator app, in preference to SMS, due to its additional resilience.
Some users have asked about options for two factor authentication without the use of a mobile device. Authy offers desktop applications that could be used in conjunction with our support for using an authenticator app. You may also be able to set up SMS delivery of two factor codes via VOIP services like Google Voice or Skype, though delivery may not be reliable in all areas and should be tested thoroughly before relying on it. Using this approach is less secure than having a true second-factor like a mobile device, and should be avoided if possible.