Two Step WordPress Security

Transcript

1. None

2. Two Step 
 WordPress Security Kaspars Dambis WordCamp Norway /

   February 20, 2016

3. Authentication Authorization Who are you? Authentication What can you do?

4. Demo: WordPress and
 Public Key Infrastructure

5. Authentication Source: http://www.andrews-sykes.com/blog/wp-content/uploads/2014/06/Reception_Metropol.jpg

6. Authorization Source: http://www.juliebolder.com/weeds_2010_season_6.htm

7. One Step Authentication

8. One Step Authentication

9. Two Step Something You Know Authentication Something You Have +

10. Two Step Authentication Something You Have +

11. Two Step Authentication + PIN

12. But There is a Problem

13. Bad User Experience

14. Bad User Experience

15. 123456
 password
 12345678
 qwerty
 12345
 123456789
 letmein Source: http://gizmodo.com/the-25-most-popular-passwords-of-2015-were-all-such-id-1753591514 Passwords

16. A UX Problem

17. A UX Problem

18. A UX Problem

19. https://xkcd.com/936/

20. Tr0ub4dor&3 https://xkcd.com/936/ 3 days at 1000 guesses per second

21. https://xkcd.com/936/ 550 years at 1000 guesses per second correct horse

    battery staple

22. https://xkcd.com/936/ correct horse battery staple but 25 keystrokes

23. • One “Master” Password • Password Generation • Password Auto-fill

    • Available on Desktop 
 and Mobile Use a Password Manager

24. • One “Master” Password • Password Generation • Password Auto-fill

    • Available on Desktop 
 and Mobile Use a Password Manager Social Engineering

25. What about Two Step?

26. Two Step: One-Time Passwords +

27. You still have to type in 6 digits every time

    Two Step: One-Time Passwords

28. Two Step: One-Time Passwords Demo?

29. Two Step: PKI Smartcards Have to use a SmartCard reader

    and install drivers on every computer Uses a secure element for all cryptographic functions

30. Source: http://www.notebookcheck.net/Review-Lenovo-ThinkPad-T440p-20AN-006VGE-Notebook.108423.0.html

31. … is there a solution?

32. Universal 
 2nd Factor

33. FIDO Alliance Fast IDentity Online • Formed in 2012 to

    create 
 a new industry standard • Initially worked on a Password-less protocol • U2F started by Google, Yubico and NXP in 2011 and joined FIDO in 2013
34. None

35. Universal 2nd Factor

36. The Promise of U2F It Just Works! * * in

    Google Chrome for now
37. None
38. None
39. None

40. Stina
 Ehrensvard CEO & Founder

41. July 2015
 A feature plugin was approved for core.
 https://wordpress.org/plugins/two-factor/

    December 2015
 “We can’t have users lock themselves out” January 2016
 Decided to work only on Application Passwords to meet the 4.5 cycle (April 2016). Join #core-passwords on WordPress Slack! Two Step in WordPress Core
42. None

43. https://twofactorauth.org

44. Get Your U2F Key Yubico.com Coupon Code: wordcamp2016-100yk4

45. Kaspars Dambis kaspars.net [email protected] A134 BA02 60D4 3F8E ACC8
 89D9

    94F1 3532 A319 EA5D We’re hiring! xwp.co/jobs