Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Two Step WordPress Security
Search
Kaspars
February 22, 2016
Technology
93
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Two Step WordPress Security
From WordCamp Norway 2016.
Kaspars
February 22, 2016
More Decks by Kaspars
See All by Kaspars
WordCamp Oslo 2018: How to Write Better Code Automatically
kasparsd
0
74
How to Write Better Code Automatically
kasparsd
0
70
My Story of Building a Commercial WordPress Plugin
kasparsd
0
100
WordPress REST API un Calypso
kasparsd
0
88
Take Control of Your Widgets
kasparsd
1
1.1k
Other Decks in Technology
See All in Technology
【FinOps】データドリブンな意思決定を目指して
z63d
2
470
AI-DLCを “そのまま導入しなかった”話 ~組織に合わせてアジャストした 私たちの実践共有~
hiroramos4
PRO
1
440
WebGIS AI Agentの紹介
_shimizu
0
580
感情と身体を置き去りにしない、エンジニアの生きのこり方 ──いまから、ここから「自分の状態」を扱うという選択
saorimurooka
0
360
フルカイテン株式会社 エンジニア向け採用資料
fullkaiten
0
11k
クレデンシャル流出 ― 攻撃 3 時間 vs 復旧 10 時間。この非対称性にどう備えるか
kazzpapa3
3
600
フルAIで個人開発して学んだあれこれ / yuruai vol.1
isaoshimizu
0
150
「勝手に広まる」人気 AI エージェントを爆速で作ろう!(AWS Summit Japan 2026講演資料)
minorun365
PRO
10
2.6k
飲食店もAIで。レジ締めやハンディシステムをつくってる話 / Using AI for restaurant management
vtryo
0
200
サイバーエージェントにおけるAI推進戦略と変革への取り組み
shotatsuge
0
600
AIペネトレーションテスト・ セキュリティ検証「AgenticSec」紹介資料
laysakura
2
7.7k
FPC(フレキシブル)基板にZephyr実装してみた。
iotengineer22
0
180
Featured
See All Featured
The Director’s Chair: Orchestrating AI for Truly Effective Learning
tmiket
1
200
Typedesign – Prime Four
hannesfritz
42
3.1k
Imperfection Machines: The Place of Print at Facebook
scottboms
270
14k
Paper Plane
katiecoart
PRO
1
52k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Stop Working from a Prison Cell
hatefulcrawdad
274
21k
SEOcharity - Dark patterns in SEO and UX: How to avoid them and build a more ethical web
sarafernandez
0
210
Statistics for Hackers
jakevdp
799
230k
Fashionably flexible responsive web design (full day workshop)
malarkey
408
66k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
254
22k
The Spectacular Lies of Maps
axbom
PRO
1
820
Docker and Python
trallard
47
3.9k
Transcript
None
Two Step WordPress Security Kaspars Dambis WordCamp Norway /
February 20, 2016
Authentication Authorization Who are you? Authentication What can you do?
Demo: WordPress and Public Key Infrastructure
Authentication Source: http://www.andrews-sykes.com/blog/wp-content/uploads/2014/06/Reception_Metropol.jpg
Authorization Source: http://www.juliebolder.com/weeds_2010_season_6.htm
One Step Authentication
One Step Authentication
Two Step Something You Know Authentication Something You Have +
Two Step Authentication Something You Have +
Two Step Authentication + PIN
But There is a Problem
Bad User Experience
Bad User Experience
123456 password 12345678 qwerty 12345 123456789 letmein Source: http://gizmodo.com/the-25-most-popular-passwords-of-2015-were-all-such-id-1753591514 Passwords
A UX Problem
A UX Problem
A UX Problem
https://xkcd.com/936/
Tr0ub4dor&3 https://xkcd.com/936/ 3 days at 1000 guesses per second
https://xkcd.com/936/ 550 years at 1000 guesses per second correct horse
battery staple
https://xkcd.com/936/ correct horse battery staple but 25 keystrokes
• One “Master” Password • Password Generation • Password Auto-fill
• Available on Desktop and Mobile Use a Password Manager
• One “Master” Password • Password Generation • Password Auto-fill
• Available on Desktop and Mobile Use a Password Manager Social Engineering
What about Two Step?
Two Step: One-Time Passwords +
You still have to type in 6 digits every time
Two Step: One-Time Passwords
Two Step: One-Time Passwords Demo?
Two Step: PKI Smartcards Have to use a SmartCard reader
and install drivers on every computer Uses a secure element for all cryptographic functions
Source: http://www.notebookcheck.net/Review-Lenovo-ThinkPad-T440p-20AN-006VGE-Notebook.108423.0.html
… is there a solution?
Universal 2nd Factor
FIDO Alliance Fast IDentity Online • Formed in 2012 to
create a new industry standard • Initially worked on a Password-less protocol • U2F started by Google, Yubico and NXP in 2011 and joined FIDO in 2013
None
Universal 2nd Factor
The Promise of U2F It Just Works! * * in
Google Chrome for now
None
None
None
Stina Ehrensvard CEO & Founder
July 2015 A feature plugin was approved for core. https://wordpress.org/plugins/two-factor/
December 2015 “We can’t have users lock themselves out” January 2016 Decided to work only on Application Passwords to meet the 4.5 cycle (April 2016). Join #core-passwords on WordPress Slack! Two Step in WordPress Core
None
https://twofactorauth.org
Get Your U2F Key Yubico.com Coupon Code: wordcamp2016-100yk4
Kaspars Dambis kaspars.net
[email protected]
A134 BA02 60D4 3F8E ACC8 89D9
94F1 3532 A319 EA5D We’re hiring! xwp.co/jobs