Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Two Step WordPress Security
Search
Kaspars
February 22, 2016
Technology
0
75
Two Step WordPress Security
From WordCamp Norway 2016.
Kaspars
February 22, 2016
Tweet
Share
More Decks by Kaspars
See All by Kaspars
WordCamp Oslo 2018: How to Write Better Code Automatically
kasparsd
0
65
How to Write Better Code Automatically
kasparsd
0
60
My Story of Building a Commercial WordPress Plugin
kasparsd
0
81
WordPress REST API un Calypso
kasparsd
0
78
Take Control of Your Widgets
kasparsd
1
990
Other Decks in Technology
See All in Technology
Lufthansa ®️ USA Contact Numbers: Complete 2025 Support Guide
lufthanahelpsupport
0
240
american airlines®️ USA Contact Numbers: Complete 2025 Support Guide
supportflight
1
120
How Do I Contact HP Printer Support? [Full 2025 Guide for U.S. Businesses]
harrry1211
0
130
スタックチャン家庭用アシスタントへの道
kanekoh
0
110
SREのためのeBPF活用ステップアップガイド
egmc
2
900
DatabricksにOLTPデータベース『Lakebase』がやってきた!
inoutk
0
150
AWS CDK 入門ガイド これだけは知っておきたいヒント集
anank
5
600
QuickSight SPICE の効果的な運用戦略~S3 + Athena 構成での実践ノウハウ~/quicksight-spice-s3-athena-best-practices
emiki
0
260
オーティファイ会社紹介資料 / Autify Company Deck
autifyhq
10
130k
いつの間にか入れ替わってる!?新しいAWS Security Hubとは?
cmusudakeisuke
0
160
United Airlines Customer Service– Call 1-833-341-3142 Now!
airhelp
0
180
クラウド開発の舞台裏とSRE文化の醸成 / SRE NEXT 2025 Lunch Session
kazeburo
1
450
Featured
See All Featured
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Testing 201, or: Great Expectations
jmmastey
43
7.6k
Java REST API Framework Comparison - PWX 2021
mraible
31
8.7k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
Rails Girls Zürich Keynote
gr2m
95
14k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
130
19k
The Art of Programming - Codeland 2020
erikaheidi
54
13k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3.3k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
10
970
Agile that works and the tools we love
rasmusluckow
329
21k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
1.8k
Transcript
None
Two Step WordPress Security Kaspars Dambis WordCamp Norway /
February 20, 2016
Authentication Authorization Who are you? Authentication What can you do?
Demo: WordPress and Public Key Infrastructure
Authentication Source: http://www.andrews-sykes.com/blog/wp-content/uploads/2014/06/Reception_Metropol.jpg
Authorization Source: http://www.juliebolder.com/weeds_2010_season_6.htm
One Step Authentication
One Step Authentication
Two Step Something You Know Authentication Something You Have +
Two Step Authentication Something You Have +
Two Step Authentication + PIN
But There is a Problem
Bad User Experience
Bad User Experience
123456 password 12345678 qwerty 12345 123456789 letmein Source: http://gizmodo.com/the-25-most-popular-passwords-of-2015-were-all-such-id-1753591514 Passwords
A UX Problem
A UX Problem
A UX Problem
https://xkcd.com/936/
Tr0ub4dor&3 https://xkcd.com/936/ 3 days at 1000 guesses per second
https://xkcd.com/936/ 550 years at 1000 guesses per second correct horse
battery staple
https://xkcd.com/936/ correct horse battery staple but 25 keystrokes
• One “Master” Password • Password Generation • Password Auto-fill
• Available on Desktop and Mobile Use a Password Manager
• One “Master” Password • Password Generation • Password Auto-fill
• Available on Desktop and Mobile Use a Password Manager Social Engineering
What about Two Step?
Two Step: One-Time Passwords +
You still have to type in 6 digits every time
Two Step: One-Time Passwords
Two Step: One-Time Passwords Demo?
Two Step: PKI Smartcards Have to use a SmartCard reader
and install drivers on every computer Uses a secure element for all cryptographic functions
Source: http://www.notebookcheck.net/Review-Lenovo-ThinkPad-T440p-20AN-006VGE-Notebook.108423.0.html
… is there a solution?
Universal 2nd Factor
FIDO Alliance Fast IDentity Online • Formed in 2012 to
create a new industry standard • Initially worked on a Password-less protocol • U2F started by Google, Yubico and NXP in 2011 and joined FIDO in 2013
None
Universal 2nd Factor
The Promise of U2F It Just Works! * * in
Google Chrome for now
None
None
None
Stina Ehrensvard CEO & Founder
July 2015 A feature plugin was approved for core. https://wordpress.org/plugins/two-factor/
December 2015 “We can’t have users lock themselves out” January 2016 Decided to work only on Application Passwords to meet the 4.5 cycle (April 2016). Join #core-passwords on WordPress Slack! Two Step in WordPress Core
None
https://twofactorauth.org
Get Your U2F Key Yubico.com Coupon Code: wordcamp2016-100yk4
Kaspars Dambis kaspars.net
[email protected]
A134 BA02 60D4 3F8E ACC8 89D9
94F1 3532 A319 EA5D We’re hiring! xwp.co/jobs