Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Two Step WordPress Security

Avatar for Kaspars Kaspars
February 22, 2016
Technology
0
74

Two Step WordPress Security

From WordCamp Norway 2016.
Avatar for Kaspars

Kaspars

February 22, 2016
Tweet

More Decks by Kaspars

See All by Kaspars
WordCamp Oslo 2018: How to Write Better Code Automatically
Avatar for Kaspars kasparsd
0
65
How to Write Better Code Automatically
Avatar for Kaspars kasparsd
0
60
My Story of Building a Commercial WordPress Plugin
Avatar for Kaspars kasparsd
0
80
WordPress REST API un Calypso
Avatar for Kaspars kasparsd
0
77
Take Control of Your Widgets
Avatar for Kaspars kasparsd
1
980

Other Decks in Technology

See All in Technology
基調講演: 生成AIを活用したアプリケーションの開発手法とは?
Avatar for Asei Sugiyama asei
1
100
Two-Tower モデルで実現する 検索リランキング / Shibuya_AI_2
Avatar for Visional Engineering & Design visional_engineering_and_design
2
140
名刺メーカーDevグループ 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
0
770
開発効率と信頼性を両立する Ubieのプラットフォームエンジニアリング
Avatar for teru0x1 teru0x1
0
120
今からでも間に合う! 生成AI「RAG」再入門 / Re-introduction to RAG in Generative AI
Avatar for Hideaki Aoyagi hideakiaoyagi
0
110
堅牢な認証基盤の実現 TypeScriptで代数的データ型を活用する
Avatar for KAKEHASHI kakehashi
PRO
1
170
JavaのMCPサーバーで体験するAIエージェントの世界
Avatar for Tatsuya Miyazaki tatsuya1bm
1
220
Introduction to Bill One Development Engineer
Avatar for Sansan, Inc. sansan33
PRO
0
250
脅威をモデリングしてMCPのセキュリティ対策を考えよう
Avatar for GMO Flatt Security flatt_security
1
260
研究開発部メンバーの働き⽅ / Sansan R&D Profile
Avatar for Sansan, Inc. sansan33
PRO
3
17k
実践Kafka Streams 〜イベント駆動型アーキテクチャを添えて〜
Avatar for Tomohiro Hashidate joker1007
3
850
バクラクのモノレポにおける AI Coding のための環境整備と {Roo,Claude} Code活用事例 / AI Coding in Bakuraku's Monorepo: Environment Setup & Case Studies with {Roo, Claude} Code
Avatar for upamune / Yu SERIZAWA upamune
8
4.8k

Featured

See All Featured
How to train your dragon (web standard)
Avatar for Monica Dinculescu notwaldorf
92
6.1k
Speed Design
Avatar for Sergey Chernyshev sergeychernyshev
30
980
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
Avatar for Michelle Schulp Hunt marktimemedia
30
2.4k
Fireside Chat
Avatar for paigeccino paigeccino
37
3.5k
StorybookのUI Testing Handbookを読んだ
Avatar for Shingo Yamazaki zakiyama
30
5.8k
BBQ
Avatar for Matthew Crist matthewcrist
89
9.7k
Site-Speed That Sticks
Avatar for Harry Roberts csswizardry
9
620
jQuery: Nuts, Bolts and Bling
Avatar for Doug Neiner dougneiner
63
7.8k
KATA
Avatar for Megan Lloyd mclloyd
29
14k
Optimizing for Happiness
Avatar for Tom Preston-Werner mojombo
379
70k
Fantastic passwords and where to find them - at NoRuKo
Avatar for Phil Nash philnash
51
3.3k
Save Time (by Creating Custom Rails Generators)
Avatar for Garrett Dimon garrettdimon
PRO
31
1.2k

Transcript

  1. None

  2. Two Step 
 WordPress Security Kaspars Dambis WordCamp Norway /

    February 20, 2016

  3. Authentication Authorization Who are you? Authentication What can you do?

  4. Demo: WordPress and
 Public Key Infrastructure

  5. Authentication Source: http://www.andrews-sykes.com/blog/wp-content/uploads/2014/06/Reception_Metropol.jpg

  6. Authorization Source: http://www.juliebolder.com/weeds_2010_season_6.htm

  7. One Step Authentication

  8. One Step Authentication

  9. Two Step Something You Know Authentication Something You Have +

  10. Two Step Authentication Something You Have +

  11. Two Step Authentication + PIN

  12. But There is a Problem

  13. Bad User Experience

  14. Bad User Experience

  15. 123456
 password
 12345678
 qwerty
 12345
 123456789
 letmein Source: http://gizmodo.com/the-25-most-popular-passwords-of-2015-were-all-such-id-1753591514 Passwords

  16. A UX Problem

  17. A UX Problem

  18. A UX Problem

  19. https://xkcd.com/936/

  20. Tr0ub4dor&3 https://xkcd.com/936/ 3 days at 1000 guesses per second

  21. https://xkcd.com/936/ 550 years at 1000 guesses per second correct horse

    battery staple

  22. https://xkcd.com/936/ correct horse battery staple but 25 keystrokes

  23. • One “Master” Password • Password Generation • Password Auto-fill

    • Available on Desktop 
 and Mobile Use a Password Manager

  24. • One “Master” Password • Password Generation • Password Auto-fill

    • Available on Desktop 
 and Mobile Use a Password Manager Social Engineering

  25. What about Two Step?

  26. Two Step: One-Time Passwords +

  27. You still have to type in 6 digits every time

    Two Step: One-Time Passwords

  28. Two Step: One-Time Passwords Demo?

  29. Two Step: PKI Smartcards Have to use a SmartCard reader

    and install drivers on every computer Uses a secure element for all cryptographic functions

  30. Source: http://www.notebookcheck.net/Review-Lenovo-ThinkPad-T440p-20AN-006VGE-Notebook.108423.0.html

  31. … is there a solution?

  32. Universal 
 2nd Factor

  33. FIDO Alliance Fast IDentity Online • Formed in 2012 to

    create 
 a new industry standard • Initially worked on a Password-less protocol • U2F started by Google, Yubico and NXP in 2011 and joined FIDO in 2013
  34. None

  35. Universal 2nd Factor

  36. The Promise of U2F It Just Works! * * in

    Google Chrome for now
  37. None
  38. None
  39. None

  40. Stina
 Ehrensvard CEO & Founder

  41. July 2015
 A feature plugin was approved for core.
 https://wordpress.org/plugins/two-factor/

    December 2015
 “We can’t have users lock themselves out” January 2016
 Decided to work only on Application Passwords to meet the 4.5 cycle (April 2016). Join #core-passwords on WordPress Slack! Two Step in WordPress Core
  42. None

  43. https://twofactorauth.org

  44. Get Your U2F Key Yubico.com Coupon Code: wordcamp2016-100yk4

  45. Kaspars Dambis kaspars.net [email protected] A134 BA02 60D4 3F8E ACC8
 89D9

    94F1 3532 A319 EA5D We’re hiring! xwp.co/jobs