Easy secure login, use password or OTP as you need. Works with Smart Crib dongles and free apps: Google Authenticator, Pledge, DS3 OATH, AuthWay Token
We have tested our plugin with the following iPhone apps. Some of them have implementations for Android as well. We will keep adding new as we test, or receive feedback from users.
SOFTWARE TOKENS / APPS
We have not done extensive testing but we have scanned about 160 applications one can find in AppStore. The following four apps work with this plugin:
You want your OTP codes to be as unpredictable as possible. That is why we try to use a cryptographically secure random number generator. If this does not work then we use a number of time measurements - microsecond timer provided by the operating system.
This approach is different from many other OTP plugins who use insecure random number generators like rand() or mt_rand().
Our plugin will generate a new random secret each time you open your profile. This may slow the page opening by 3 seconds.
Yes, the plugin does not disable static password. If you decide not to use normal passwords any more, set them to some random and long values.
We have noticed that existing plugins basically add an additional password box when you start using OTP. It means that you need your old password and OTP codes as well. I have put some security arguments on the plugin web page: WP OTP from Smart Crib and here is a summary:
Even 6 digit OTP is as strong an average password - based on a large study of Yahoo passwords conducted by Joseph Bonneau at the University of Cambridge (Analyzing 70,000,000 anonymized passwords) - see Figure 6 (success rate with increasing number of guesses and Table V for just 1,000 guesses).
While 6 digit OTP is as strong as an average password, it is actually much more secure as once an OTP value is guessed, it cannot be re-used. This makes attacks more complicated as the tool for guessing passwords must also apply the "payload".
Many of you may think that OTP is overkill. Well, it may be true when you login from your "secure" network but we sometimes really need to login from insecure network and if you can just use OTP when you need it, it justifies the additional hassle.
Actually, OTP is more vulnerable than passwords when your server gets hacked. The problem is that while passwords can be scrambled (only values computed with one-way function like SHA1, SHA256, ... are stored), OTP secrets must be available in plaintext.
Once the secret is compromised, all future values of your OTP codes can be computed by the attacker - you may remember RSA SecurID incident a couple of years back - one article from many: RSA Finally Comes Clean - SecurID Is Compromised.
Our plugin encrypts seeds with AES-256 so they cannot be read directly but the key is still stored somewhere on our server. We hope to improve this with our management and monitoring system that we intend to launch in Q3 2013.
That is very true. There are so many WordPress users that there is a good chance of someone getting hacked every day. One needs monitoring and auditing system to detect attempts to hack someone's account.
We have been building such system for some time now and we hope to launch it in Q3 2013. This system will also offer additional security improvements. We want to use cryptographic modules like this (Utimaco CryptoServer V4 ) to store your secrets.
OTP codes can be computed using an incrementing counter or real time. Each of them has its advantages and disadvantages. We decided to do Event-based OTP (aka Counter-based aka HOTP) first. Our reasons were: 1. Event based OTP does not require synchronised time between your mobile phone and server - this may be sometimes quite difficult to do as you may not be the master of the server where your WordPress is running. 2. Time based OTP assumes trusted time source on both sides. However, it is fairly easy to change time on your mobile phone and write down OTP codes that will be valid in an hour or next day. 3. There is a danger of Event-based OTP codes to be eavesdropped and used by attackers - from your point of view it looks like you can't login to your server and get a message like "Server Is Down", "Try Again Later", and so on.
Version 2.0 implements time-based OTP as well.
Neither option is better - Time-based may be a bit more secure (sometime), Event-based is a little bit easier to use (other time). If you are new to OTP, try this one first as it is easier and more reliable.
Password S-CRIB is our product. It is a physical dongle that gives you OTP and a set of 4 secure passwords. Forget what I said about passwords above as the strength of these makes them unbreakable.
In some situations, these passwords are much better than OTP - probability of guessing an 8 digit OTP with 4 digit PIN is 1:2^40, while for these passwords it is 1:2^120 (each increment between 40 and 120 means trying twice as many passwords).
Password S-CRIB is a digital key you have in your pocket with powerful password recovery support options - from a hardcopy in your strongbox to an online recovery and management system.
Tokens can be obtained from Amazon UK (+26 EU countries), Amazon US, and Paypal or get in touch via email to email@example.com as we can offer substantial discounts if you buy more of them.
If you get stuck, you can always contact us at firstname.lastname@example.org.