Secure WordPress login without passwords or CAPTCHAs

Secure WordPress login without passwords or CAPTCHAs

Two-factor authentication for WordPress

If you’re like most WordPress admins, you probably protect your site with password-based logins. You could also use a CAPTCHA to ensure that the login attempts are from human users and are not attacks by bots that are trying, for example, to deliver automated junk mail to your site that leads to malware-infected sites. Unfortunately, these login methods are no longer secure these days, automatically making your website vulnerable to hackers and other criminals trying to compromise user accounts, get your website’s data, and steal passwords or other credentials. Usernames and passwords stolen from other websites or servers could also be used, for example, to log in as an admin on your site.

When you use password-based logins to secure your WordPress site, you’re basically inviting potential trouble into your home. The primary goal of hackers is to get passwords. If criminals can successfully access even a single password for one user account, chances are they can also gain access to that one user’s other accounts for other websites and services.

As a consequence, the attacker would have an easy time if they compromised another website on which passwords are not sufficiently secured and a user uses the same password (now known to the attacker) on your website as well.

Criminals have a variety of options to obtain passwords, whether through SQL injection, phishing attacks, or using malware. If you use passwords to log in, the security of your website is only as good as the user who is logged in there with the weakest password. If an administrator or account holder uses the same password for multiple websites and services (including your own), this puts your site and your data at serious risk.

At worst, criminals who obtain an administrative password for your WordPress site using these common attack vectors could gain full access to your site and user data, and that would spell disaster on a larger scale.

CAPTCHA is also not an effective solution to defend against brute force attacks in the long term. Hackers work tirelessly to write new bot scripts and programs to trick image and text-based solutions like CAPTCHA. So it’s always just a matter of time before hackers figure out how to defeat each new solution. Once they figure out how to trick the latest plugin, they can program their bots to appear like human users during the attack. And who hasn’t had the experience of encountering CAPTCHAs more and more often today that humans can hardly decipher. Don’t expect your users to do this any longer!

So how can you not only protect your WordPress site without using passwords or CAPTCHAs, but also ensure the best possible security for your user accounts? The solution is simple and so secure that it makes it almost impossible for your WordPress accounts to ever be compromised.

Protect your website with next-generation mobile authentication

The SecSign ID is a next-generation login method, replacing password-based logins with 2048-bit key pairs and mobile authentication. It uses cryptographic methods that have been used for the security of EC cards for over 15 years: knowledge plus possession.

Using a simple plugin for WordPress, SecSign ID allows users to log into your site by entering a non-confidential username in WordPress that you choose yourself in the app. Users no longer have to use or remember a password. Once they enter their username, they verify their identity by proving their possession of an encrypted private key residing on their mobile devices.

This works by using the free SecSign ID app. The app automatically notifies the user when an authentication request is initiated, and the user can then confirm or deny the session within seconds. Ownership of the user’s private key is confirmed with the right knowledge, namely entering a simple four-digit PIN or passcode in the app.

In a final step for identity verification, the app will display four icons. The user must now tap the icon that also appears in the WordPress login screen. Once verification is complete, your website grants access to the user.

This allows the user to log into your WordPress site in a matter of seconds without using passwords or CAPTCHAs. Even better, unlike all password-based methods, no sensitive user data is ever stored on a server or transmitted between a server and the user’s mobile device. Thus, there is virtually nothing for criminals to steal during transmission or from a server. Hacker and phishing attacks as well as malware are unsuccessful.

SecSign ID enables WordPress logins using a simple username and mobile authentication that eliminates the need for passwords and thwarts criminal attacks and user account compromises.

Flexible security variants – including verification by Apple’s Touch ID Fingerprint

With Apple’s forthcoming release of iOS 8, SecSign ID offers iOS 8 users the ability to verify their identity using their registered Touch ID fingerprint. For the sake of completeness, it should be mentioned once again that the fingerprint is of course never transferred.

This means they can use their fingerprint instead of a PIN or passcode, or combine it with a PIN or passcode for even greater biometric protection.

The SecSign ID can be configured as an alternative login option for your website and could thus be offered together with a traditional username and password combination. This way you can use it to protect your admin accounts while still supporting traditional login methods for your other users. Alternatively, to keep your website as secure as possible, you could set the SecSign ID as a login requirement for all your accounts by disabling the default WordPress login and replacing it with the more secure SecSign ID method.

By integrating the SecSign ID plugin into your WordPress site, you allow your users to log in to your WordPress site and post blog comments without the use of passwords and the challenging process of deciphering CAPTCHA images or texts. The members of your website will also benefit from being relieved of possible hassles with passwords or CAPTCHAs.

Easy user registration and linking existing accounts with two-factor authentication

Registering a SecSign ID account is quick and easy using the SecSign ID app. Thus, it is not necessary to set up or distribute IDs for all users of your website. Users can register independently using the SecSign ID app. In the app, users can quickly and easily generate a new SecSign user ID and set up verification using a PIN, passcode or fingerprint.

As the administrator of the site, you can decide for yourself whether you want to allow users to use two-factor authentication as an alternative or as the only possible login. You can regulate this easily and conveniently using checkboxes in the configuration of the SecSign ID login.

SecSign ID uses 2048-bit encrypted key pairs, including a secured private key stored on the user's mobile device, to authenticate user logins.

The encoded 2048-bit key pair of the SecSign ID including a secure private key on the user’s mobile device to authenticate user logins.

The app generates the encoded key pairs for secure authentication and sends the public key to the authentication server, where it is stored. The private key is secured on the user’s mobile device with a patented SafeKey process for additional protection against brute force attacks. Even if the user’s device is stolen or lost, no brute force attack can gain access to the private key. Even if criminals somehow manage to get their hands on that key, it’s completely useless without the associated PIN (or passcode or fingerprint).

Of course, the user can also block this ID remotely via the admin website.

The simple and password-free self-registration avoids another well-known risk that comes with WordPress administration by setting up and transferring passwords for other administrators. Typically, password-based logins require an administrator to create and forward a password to each additional administrator.

This leads to two significant security risks: first, the administrator knows the password for someone else’s user account, and second, transmission via email or other services is highly risky. A potential attacker could thus steal user data in transit or from a text or document stored on a server.

The SecSign ID can eliminate both the dangers mentioned and other weak points in password and CAPTCHA processes.

WordPress Previous post htaccess protection for WordPress – Protect the file wp-login.php from access
Increase WordPress Security - Limit Login Attempts Reloaded Next post Increase WordPress Security – Limit Login Attempts Reloaded