WordPress.org

Plugin Reviews

yubikey-plugin

Enhanced Login Security for Your WordPress blog.

3 reviews
Average Rating
4.5 out of 5 stars
You are currently viewing the reviews that provided a rating of 5 stars. Click here to see all reviews.
This must be a joke
By , for WP 4.1
function yubikey_verify_otp($otp,$yubico_api_id,$yubico_api_key){
	<strong>$url="http://api.yubico.com/wsapi/verify?id=".$yubico_api_id."&otp=".$otp;</strong>

	$ch = curl_init($url);
	curl_setopt($ch, CURLOPT_USERAGENT, "WordPress Yubikey OTP login plugin");
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
	$response = trim(curl_exec($ch));
	curl_close($ch);

	if (yubikey_verify_hmac($response,$yubico_api_key)) {
		if(!preg_match("/status=([a-zA-Z0-9_]+)/", $response, $result)) {
			return false;
		}
		<strong>if ($result[1]=='OK') {</strong>
			return true;
		}
	}
	return false;
}

An

  • unencrypted
  • unauthenticated
  • unsigned

response of "OK" is what users should base security assumptions on?
C'mon.

Private yubi val-server
By ,

I'm not able to figure out how to use a custom val-server. I have changed the verifier address in yubikey.php and I have all the neccessary info (API key and ID's) for the user. But the plugin doesn't attempt to communicate with the server.

Any help would be appreciated.

Works great and blocks automated password hacks
By , for WP 3.3.1

I have had Yubikey (old version) for a years and not used it much. Mainly I used it as a OpenID authentication on many sites. WordPress does support OpenID authentication but it works much better with this plugin.
Thank you for doing it!

You must log in to submit a review. You can also log in or register using the form near the top of this page.