WordPress.org

Ready to get started?Download WordPress

Ideas

2 step verification

  1. Akemi_Mokoto
    Member

    I think it would be a good idea for WordPress to give users the ability to set up 2 step verification to decrease the odds of being hacked greatly. Allow users to do the double log in by first entering their password on their WordPress self-hosting blog, THEN require them to either enter a code sent to their email or cell phone(preferably) in order to log in AND keep tabs on the IP logins to that wordpress blog.

    Posted: 1 year ago #
  2. McDragon
    Member

    12345

    I agree. I think this functionality should be built in and robust and also support the mobile apps.
    There has been a lot of publicity about WP security and I think 3.7 goes a step forward but you should have also implemented 2-level authentication

    Posted: 10 months ago #
  3. Ipstenu (Mika Epstein)
    Administrator

    At this time, we can't do it because we don't have something that works 100% on all server setups. So you're in plugin land for now.

    Once we can make it work on Shared hosts around the world, this may change, btu there are server requirements we just don;t have yet.

    Posted: 10 months ago #
  4. netik
    Member

    I'm unsure why this wouldn't work everywhere. We can do this in a server-agnostic way.

    We have the following available to us:

    1) Open source crypto code for key generation and storage -- the HMAC_TOTP Algorithm is widely known

    2) HTML5 Canvas based display of QR Codes. (no need for PHP or imagemagick)

    3) Google Authenticator, free everywhere on all mobile devices.

    I would be willing to write this code and submit a patch. I'm new to working on WordPress but I'm a seasoned developer and lead Twitter's security team. This would not be new ground for me.

    Posted: 7 months ago #
  5. Ipstenu (Mika Epstein)
    Administrator

    #3 makes a massive presumption.

    Does every WP user have a mobile device?

    Does every WP user have a mobile device capable of using GA?

    Does every WP user want to use Google's brand of authentication?

    We have this plugin: http://wordpress.org/plugins/google-authenticator/

    I think it handles things pretty well for everyone who needs that. If you can fix the server agnosticism (and remember we're talking Windows, Linux, Apache, nginx, every flavor of PHP from 5.2 on up and so on), that's a great leap! But it's going to be a while before this would land in core because the tfa requirements of a cell phone that can handle it aren't there yet :/

    Posted: 7 months ago #
  6. netik
    Member

    Let's take a step back.

    What I'm saying is to have a stronger basic security feature set available in the core product. At a minimum, have IP whitelists for wp-admin. If we take the approach of security by default instead of 'security when you remember to install a plugin', we make the Internet more secure in general.

    For #3:

    You're right. 2FA is an advanced topic. But...

    I think it's safe to assume that a very high percentage of WP users have mobile devices. Even if they don't, that's no reason not to support the aforementioned IP restrictions in code.

    GA requires an Android or iPhone, but here's the best part: It's wrong to assume that this is Google branded authentication.

    It's an open RFC that Duo, Google, and many others support, and the reason why I suggest it is because of it's openness. Anyone can write code to make it go and there are literally hundreds of vendors that sell tokens for the service.

    HOTP and TOTP:
    http://tools.ietf.org/html/rfc6238

    Posted: 7 months ago #
  7. Ipstenu (Mika Epstein)
    Administrator

    At a minimum, have IP whitelists for wp-admin.

    You mean block everyone BUT certain IPs? Because if you're thinking the htaccess block like that, it's a bloody nightmare to support.

    I'm not disagreeing it would make things more secure, I'm just picturing the first time someone tries to log in from mom's computer and can't, and doesn't know how to fix it. Who do they contact? The webhost?

    GA requires an Android or iPhone, but here's the best part: It's wrong to assume that this is Google branded authentication.

    Oh I know, but the iOS app is GA's (I presume the Android one is as well). Now WP could put that in their app instead, which would be nifty.

    But we're still back to the presumption that people could use 2FA on their phones.

    I think it's safe to assume that a very high percentage of WP users have mobile devices.

    I think a high percentage isn't enough, when you may be crippling your product for the rest :)

    This would absolutely have to be optional and set to off, because if it's on and people can't get in, well... Also is this even accessible to people who can't see? We're not even talking about folks who don't have phones, or mobile phones capable of this sort of thing. China? Africa? They have enough issues as is.

    Posted: 7 months ago #
  8. CotswoldPhoto
    Member

    If 2fa is SO SO difficult, how come Joomla managed it in 3.3?

    I have migrated from Joomla to WP and this is the most glaring defect in security.

    OK, so certain server features need to be there. Great. So build some code to detect and enable only if supported.

    The plugin and the 2 other plugins based on it work very well, but hardly any other plugin that involve login or user profiles support those plugins.

    Posted: 1 month ago #
  9. Ipstenu (Mika Epstein)
    Administrator

    Joomla's using Google Authenticator, and no one said it couldn't be managed. The argument is more that it's not managable.

    Does every WP user have a mobile device?

    Does every WP user have a mobile device capable of using GA?

    Does every WP user want to use Google's brand of authentication?

    I'd also counter that Joomla has a more techie admin base than WP does :)

    Posted: 1 month ago #
  10. CotswoldPhoto
    Member

    2FA on Joomla is not compulsory. It has to be enabled by the site owner, and THEN by each user. Those that cannot use it do not have to.

    So.... WHY does EVERY user of WP have to have a mobile device in order that WP add 2FA to the core?

    WHY does every mobile device have to be capable of using GA?

    WHY does 2FA have to be GA? Joomla have added other options.

    As I said, Joomla implementation is pretty much as the WP GA plugin. Optional for each user, NOT forced by the site owner. All the Joomla site owner does is enable it in General Settings, then it is down to each user.

    Posted: 1 month ago #

RSS feed for this topic

Reply

You must log in to post.

  • Rating

    12345
    3 Votes
  • Status

    This is plugin territory