There needs to be an option to disallow non authy logins.

  • Resolved Chamunks

    (@chamunks)


    11 years, 3 months ago

    I have one major issue with this plugin is that it still allows me to login using mobile apps to accounts that have authy tokens via the wordpress app without needing the authy token. As you could imagine this is a major hole as anyone could just fake that they are coming from an android app to just bypass the authy reqirement which is essentially mooting the boost in security.

    http://wordpress.org/extend/plugins/authy-for-wp/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter Chamunks

    (@chamunks)

    11 years, 3 months ago

    My one suggestion would be enable users that cannot be logged into by certain means or whitelisting only logging in via certain means.

    Plugin Author Erick Hitter

    (@ethitter)

    11 years, 3 months ago

    The WordPress mobile apps, as well as XML-RPC requests, don’t provide any way to require additional authentication steps. This isn’t a vulnerability specifically with the Authy plugin, but a limitation of any authentication request made by means other than direct interaction with WordPress. Most existing login-hardening plugins are similarly limited because the mobile apps aren’t extensible.

    I’ve opened an issue on GitHub (#15) to continue this discussion. A future release could include an option to require that all interaction with WordPress happen directly in the software.

    In the meantime, the following code snippet can be used to entirely disable XML-RPC, if desired.

    add_filter( 'xmlrpc_enabled', '__return_false' );

    Thread Starter Chamunks

    (@chamunks)

    11 years, 3 months ago

    Disclaimer I’m so not a coder I have no idea where I should be installing this code 🙁 there were some guys in a campfire chatroom talking to me about this earlier today I’d just like to verify you also use Campfire.

    Thread Starter Chamunks

    (@chamunks)

    11 years, 3 months ago

    Also it only required the authy token for hitting the dashboard but posting I didnt need it. On further inspection.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘There needs to be an option to disallow non authy logins.’ is closed to new replies.