WordPress.org

Ready to get started?Download WordPress

Forums

Authy for WordPress
[resolved] There needs to be an option to disallow non authy logins. (5 posts)

  1. Chamunks
    Member
    Posted 2 years ago #

    I have one major issue with this plugin is that it still allows me to login using mobile apps to accounts that have authy tokens via the wordpress app without needing the authy token. As you could imagine this is a major hole as anyone could just fake that they are coming from an android app to just bypass the authy reqirement which is essentially mooting the boost in security.

    http://wordpress.org/extend/plugins/authy-for-wp/

  2. Chamunks
    Member
    Posted 2 years ago #

    My one suggestion would be enable users that cannot be logged into by certain means or whitelisting only logging in via certain means.

  3. Erick Hitter
    Code Wizard
    Plugin Author

    Posted 2 years ago #

    The WordPress mobile apps, as well as XML-RPC requests, don't provide any way to require additional authentication steps. This isn't a vulnerability specifically with the Authy plugin, but a limitation of any authentication request made by means other than direct interaction with WordPress. Most existing login-hardening plugins are similarly limited because the mobile apps aren't extensible.

    I've opened an issue on GitHub (#15) to continue this discussion. A future release could include an option to require that all interaction with WordPress happen directly in the software.

    In the meantime, the following code snippet can be used to entirely disable XML-RPC, if desired.

    add_filter( 'xmlrpc_enabled', '__return_false' );

  4. Chamunks
    Member
    Posted 2 years ago #

    Disclaimer I'm so not a coder I have no idea where I should be installing this code :( there were some guys in a campfire chatroom talking to me about this earlier today I'd just like to verify you also use Campfire.

  5. Chamunks
    Member
    Posted 2 years ago #

    Also it only required the authy token for hitting the dashboard but posting I didnt need it. On further inspection.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.