Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Two Step WordPress Security

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Kaspars Kaspars
February 22, 2016
Technology
90
0

Two Step WordPress Security

From WordCamp Norway 2016.

Avatar for Kaspars

Kaspars

February 22, 2016

More Decks by Kaspars

See All by Kaspars
WordCamp Oslo 2018: How to Write Better Code Automatically
Avatar for Kaspars kasparsd
0
74
How to Write Better Code Automatically
Avatar for Kaspars kasparsd
0
69
My Story of Building a Commercial WordPress Plugin
Avatar for Kaspars kasparsd
0
100
WordPress REST API un Calypso
Avatar for Kaspars kasparsd
0
87
Take Control of Your Widgets
Avatar for Kaspars kasparsd
1
1.1k

Other Decks in Technology

See All in Technology
AI時代に改めて考える、ドメイン駆動設計 - モデリングが「AIへの共通言語」になる
Avatar for Koichiro Matsuoka littlehands
8
2.7k
オンコールの負荷軽減のためのBits Assistant 活用方法 / How to Use Bits Assistant to Reduce the Workload on On-Call Staff
Avatar for SMS tech sms_tech
1
280
個人AIからチームAIへ:開発における品質と生産性の再設計
Avatar for Atsushi Nakatsugawa moongift
PRO
0
260
Agentic AI時代における メルカリのAIガバナンスとガードレール実装
Avatar for ichihara naoichihara
16
16k
Kaggle未経験社員をメダリストに育てる「AIドラゴン桜」
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
0
640
最低限これだけ押さえれ大丈夫_Claude Enterprise/Team企業展開ガバナンス入門
Avatar for t-kikuchi tkikuchi
1
400
テストコードのないプロジェクトにテストを根付かせる
Avatar for Toru Takahashi tttol
0
220
類似画像検索モデルの開発ノウハウ
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
4
1k
基礎から解説!Icebergで紐解くSnowflake×Databricks連携の現在地
Avatar for TomokiYasuhara cm_yasuhara
0
360
「使われるデータ基盤」を目指してデータアナリストとワークショップをやった話
Avatar for jackojacko_ jackojacko_
2
910
ビジュアルプログラミングIoTLT vol.23
Avatar for 1ft-seabass 1ftseabass
PRO
0
150
人が担う「価値」とは?これからの「QA」とは / Human Value and the Future of Quality Assurance
Avatar for 株式会社ビットキー / Bitkey Inc. bitkey
PRO
0
120

Featured

See All Featured
The Pragmatic Product Professional
Avatar for Laura Van Doore lauravandoore
37
7.3k
Scaling GitHub
Avatar for Zach Holman holman
464
140k
Technical Leadership for Architectural Decision Making
Avatar for Kenny Baas-Schwegler baasie
3
380
Building Better People: How to give real-time feedback that sticks.
Avatar for Will Jessup wjessup
370
20k
Leveraging Curiosity to Care for An Aging Population
Avatar for Cassini Nazir cassininazir
1
250
SEO Brein meetup: CTRL+C is not how to scale international SEO
Avatar for Linda Hogenes lindahogenes
1
2.7k
ReactJS: Keep Simple. Everything can be a component!
Avatar for Pedro Nauck pedronauck
666
130k
Hiding What from Whom? A Critical Review of the History of Programming languages for Music
Avatar for Tomoya Matsuura tomoyanonymous
2
820
30 Presentation Tips
Avatar for Ian Lurie portentint
PRO
1
300
Build your cross-platform service in a week with App Engine
Avatar for Jose L jlugia
234
18k
Stewardship and Sustainability of Urban and Community Forests
Avatar for Eric Wiseman pwiseman
0
210
Balancing Empowerment & Direction
Avatar for Lara Hogan lara
6
1.1k

Transcript

  1. None

  2. Two Step 
 WordPress Security Kaspars Dambis WordCamp Norway /

    February 20, 2016

  3. Authentication Authorization Who are you? Authentication What can you do?

  4. Demo: WordPress and
 Public Key Infrastructure

  5. Authentication Source: http://www.andrews-sykes.com/blog/wp-content/uploads/2014/06/Reception_Metropol.jpg

  6. Authorization Source: http://www.juliebolder.com/weeds_2010_season_6.htm

  7. One Step Authentication

  8. One Step Authentication

  9. Two Step Something You Know Authentication Something You Have +

  10. Two Step Authentication Something You Have +

  11. Two Step Authentication + PIN

  12. But There is a Problem

  13. Bad User Experience

  14. Bad User Experience

  15. 123456
 password
 12345678
 qwerty
 12345
 123456789
 letmein Source: http://gizmodo.com/the-25-most-popular-passwords-of-2015-were-all-such-id-1753591514 Passwords

  16. A UX Problem

  17. A UX Problem

  18. A UX Problem

  19. https://xkcd.com/936/

  20. Tr0ub4dor&3 https://xkcd.com/936/ 3 days at 1000 guesses per second

  21. https://xkcd.com/936/ 550 years at 1000 guesses per second correct horse

    battery staple

  22. https://xkcd.com/936/ correct horse battery staple but 25 keystrokes

  23. • One “Master” Password • Password Generation • Password Auto-fill

    • Available on Desktop 
 and Mobile Use a Password Manager

  24. • One “Master” Password • Password Generation • Password Auto-fill

    • Available on Desktop 
 and Mobile Use a Password Manager Social Engineering

  25. What about Two Step?

  26. Two Step: One-Time Passwords +

  27. You still have to type in 6 digits every time

    Two Step: One-Time Passwords

  28. Two Step: One-Time Passwords Demo?

  29. Two Step: PKI Smartcards Have to use a SmartCard reader

    and install drivers on every computer Uses a secure element for all cryptographic functions

  30. Source: http://www.notebookcheck.net/Review-Lenovo-ThinkPad-T440p-20AN-006VGE-Notebook.108423.0.html

  31. … is there a solution?

  32. Universal 
 2nd Factor

  33. FIDO Alliance Fast IDentity Online • Formed in 2012 to

    create 
 a new industry standard • Initially worked on a Password-less protocol • U2F started by Google, Yubico and NXP in 2011 and joined FIDO in 2013
  34. None

  35. Universal 2nd Factor

  36. The Promise of U2F It Just Works! * * in

    Google Chrome for now
  37. None
  38. None
  39. None

  40. Stina
 Ehrensvard CEO & Founder

  41. July 2015
 A feature plugin was approved for core.
 https://wordpress.org/plugins/two-factor/

    December 2015
 “We can’t have users lock themselves out” January 2016
 Decided to work only on Application Passwords to meet the 4.5 cycle (April 2016). Join #core-passwords on WordPress Slack! Two Step in WordPress Core
  42. None

  43. https://twofactorauth.org

  44. Get Your U2F Key Yubico.com Coupon Code: wordcamp2016-100yk4

  45. Kaspars Dambis kaspars.net [email protected] A134 BA02 60D4 3F8E ACC8
 89D9

    94F1 3532 A319 EA5D We’re hiring! xwp.co/jobs