Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Two Step WordPress Security
Search
Kaspars
February 22, 2016
Technology
0
74
Two Step WordPress Security
From WordCamp Norway 2016.
Kaspars
February 22, 2016
Tweet
Share
More Decks by Kaspars
See All by Kaspars
WordCamp Oslo 2018: How to Write Better Code Automatically
kasparsd
0
65
How to Write Better Code Automatically
kasparsd
0
60
My Story of Building a Commercial WordPress Plugin
kasparsd
0
80
WordPress REST API un Calypso
kasparsd
0
78
Take Control of Your Widgets
kasparsd
1
980
Other Decks in Technology
See All in Technology
GitHub Copilot の概要
tomokusaba
1
130
AWS Summit Japan 2025 Community Stage - App workflow automation by AWS Step Functions
matsuihidetoshi
1
260
Oracle Cloud Infrastructure:2025年6月度サービス・アップデート
oracle4engineer
PRO
2
240
Oracle Audit Vault and Database Firewall 20 概要
oracle4engineer
PRO
3
1.7k
mrubyと micro-ROSが繋ぐロボットの世界
kishima
2
240
Postman AI エージェントビルダー最新情報
nagix
0
110
Liquid Glass革新とSwiftUI/UIKit進化
fumiyasac0921
0
210
Microsoft Build 2025 技術/製品動向 for Microsoft Startup Tech Community
torumakabe
2
260
HiMoR: Monocular Deformable Gaussian Reconstruction with Hierarchical Motion Representation
spatial_ai_network
0
110
“社内”だけで完結していた私が、AWS Community Builder になるまで
nagisa53
1
380
VISITS_AIIoTビジネス共創ラボ登壇資料.pdf
iotcomjpadmin
0
160
A2Aのクライアントを自作する
rynsuke
1
170
Featured
See All Featured
The Straight Up "How To Draw Better" Workshop
denniskardys
234
140k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
35
2.3k
Unsuck your backbone
ammeep
671
58k
Being A Developer After 40
akosma
90
590k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
34
5.9k
Fireside Chat
paigeccino
37
3.5k
Build your cross-platform service in a week with App Engine
jlugia
231
18k
jQuery: Nuts, Bolts and Bling
dougneiner
63
7.8k
Designing Experiences People Love
moore
142
24k
It's Worth the Effort
3n
185
28k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
8
670
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
657
60k
Transcript
None
Two Step WordPress Security Kaspars Dambis WordCamp Norway /
February 20, 2016
Authentication Authorization Who are you? Authentication What can you do?
Demo: WordPress and Public Key Infrastructure
Authentication Source: http://www.andrews-sykes.com/blog/wp-content/uploads/2014/06/Reception_Metropol.jpg
Authorization Source: http://www.juliebolder.com/weeds_2010_season_6.htm
One Step Authentication
One Step Authentication
Two Step Something You Know Authentication Something You Have +
Two Step Authentication Something You Have +
Two Step Authentication + PIN
But There is a Problem
Bad User Experience
Bad User Experience
123456 password 12345678 qwerty 12345 123456789 letmein Source: http://gizmodo.com/the-25-most-popular-passwords-of-2015-were-all-such-id-1753591514 Passwords
A UX Problem
A UX Problem
A UX Problem
https://xkcd.com/936/
Tr0ub4dor&3 https://xkcd.com/936/ 3 days at 1000 guesses per second
https://xkcd.com/936/ 550 years at 1000 guesses per second correct horse
battery staple
https://xkcd.com/936/ correct horse battery staple but 25 keystrokes
• One “Master” Password • Password Generation • Password Auto-fill
• Available on Desktop and Mobile Use a Password Manager
• One “Master” Password • Password Generation • Password Auto-fill
• Available on Desktop and Mobile Use a Password Manager Social Engineering
What about Two Step?
Two Step: One-Time Passwords +
You still have to type in 6 digits every time
Two Step: One-Time Passwords
Two Step: One-Time Passwords Demo?
Two Step: PKI Smartcards Have to use a SmartCard reader
and install drivers on every computer Uses a secure element for all cryptographic functions
Source: http://www.notebookcheck.net/Review-Lenovo-ThinkPad-T440p-20AN-006VGE-Notebook.108423.0.html
… is there a solution?
Universal 2nd Factor
FIDO Alliance Fast IDentity Online • Formed in 2012 to
create a new industry standard • Initially worked on a Password-less protocol • U2F started by Google, Yubico and NXP in 2011 and joined FIDO in 2013
None
Universal 2nd Factor
The Promise of U2F It Just Works! * * in
Google Chrome for now
None
None
None
Stina Ehrensvard CEO & Founder
July 2015 A feature plugin was approved for core. https://wordpress.org/plugins/two-factor/
December 2015 “We can’t have users lock themselves out” January 2016 Decided to work only on Application Passwords to meet the 4.5 cycle (April 2016). Join #core-passwords on WordPress Slack! Two Step in WordPress Core
None
https://twofactorauth.org
Get Your U2F Key Yubico.com Coupon Code: wordcamp2016-100yk4
Kaspars Dambis kaspars.net
[email protected]
A134 BA02 60D4 3F8E ACC8 89D9
94F1 3532 A319 EA5D We’re hiring! xwp.co/jobs