Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Two Step WordPress Security

Sponsored · SiteGround - Reliable hosting with speed, security, and support you can count on.
Avatar for Kaspars Kaspars
February 22, 2016
Technology
0
81

Two Step WordPress Security

From WordCamp Norway 2016.

Avatar for Kaspars

Kaspars

February 22, 2016
Tweet

More Decks by Kaspars

See All by Kaspars
WordCamp Oslo 2018: How to Write Better Code Automatically
Avatar for Kaspars kasparsd
0
68
How to Write Better Code Automatically
Avatar for Kaspars kasparsd
0
63
My Story of Building a Commercial WordPress Plugin
Avatar for Kaspars kasparsd
0
88
WordPress REST API un Calypso
Avatar for Kaspars kasparsd
0
83
Take Control of Your Widgets
Avatar for Kaspars kasparsd
1
1k

Other Decks in Technology

See All in Technology
ブロックテーマでサイトをリニューアルした話 / 2026-01-31 Kansai WordPress Meetup
Avatar for Toro_Unit (Hiroshi Urabe) torounit
0
450
あたらしい上流工程の形。 0日導入からはじめるAI駆動PM
Avatar for 熊井悠 kumaiu
5
760
顧客との商談議事録をみんなで読んで顧客解像度を上げよう
Avatar for shibayu36 shibayu36
0
180
(金融庁共催)第4回金融データ活用チャレンジ勉強会資料
Avatar for tak takumimukaiyama
0
130
Kiro IDEのドキュメントを全部読んだので地味だけどちょっと嬉しい機能を紹介する
Avatar for khmoryz khmoryz
0
170
SREじゃなかった僕らがenablingを通じて「SRE実践者」になるまでのリアル / SRE Kaigi 2026
Avatar for AEON aeonpeople
6
2.1k
クレジットカード決済基盤を支えるSRE - 厳格な監査とSRE運用の両立 (SRE Kaigi 2026)
Avatar for capytan capytan
6
2.6k
日本の85%が使う公共SaaSは、どう育ったのか
Avatar for たけだ taketakekaho
1
140
月間数億レコードのアクセスログ基盤を無停止・低コストでAWS移行せよ!アプリケーションエンジニアのSREチャレンジ💪
Avatar for miyamu miyamu
0
820
Embedded SREの終わりを設計する 「なんとなく」から計画的な自立支援へ
Avatar for SansanTech sansantech
PRO
3
2.2k
制約が導く迷わない設計 〜 信頼性と運用性を両立するマイナンバー管理システムの実践 〜
Avatar for ないとー bwkw
3
880
Claude_CodeでSEOを最適化する_AI_Ops_Community_Vol.2__マーケティングx_AIはここまで進化した.pdf
Avatar for 小笠原理久 riku_423
2
470

Featured

See All Featured
Dominate Local Search Results - an insider guide to GBP, reviews, and Local SEO
Avatar for Greg Gifford greggifford
PRO
0
77
A Tale of Four Properties
Avatar for Chris Coyier chriscoyier
162
24k
Max Prin - Stacking Signals: How International SEO Comes Together (And Falls Apart)
Avatar for Tech SEO Connect techseoconnect
PRO
0
83
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
Avatar for Aleyda Solis aleyda
0
1.9k
16th Malabo Montpellier Forum Presentation
Avatar for AKADEMIYA2063 akademiya2063
PRO
0
47
How to Ace a Technical Interview
Avatar for Jacob Kaplan-Moss jacobian
281
24k
ラッコキーワード サービス紹介資料
Avatar for ラッコ株式会社 rakko
1
2.2M
We Are The Robots
Avatar for Honza Javorek honzajavorek
0
160
Why Mistakes Are the Best Teachers: Turning Failure into a Pathway for Growth
Avatar for Umar Saidu Auna auna
0
51
Agile Leadership in an Agile Organization
Avatar for Dr. Kim W Petersen kimpetersen
PRO
0
79
Paper Plane (Part 1)
Avatar for Katie Cordina Lindsey katiecoart
PRO
0
4k
Efficient Content Optimization with Google Search Console & Apps Script
Avatar for Katarina Dahlin katarinadahlin
PRO
0
310

Transcript

  1. None

  2. Two Step 
 WordPress Security Kaspars Dambis WordCamp Norway /

    February 20, 2016

  3. Authentication Authorization Who are you? Authentication What can you do?

  4. Demo: WordPress and
 Public Key Infrastructure

  5. Authentication Source: http://www.andrews-sykes.com/blog/wp-content/uploads/2014/06/Reception_Metropol.jpg

  6. Authorization Source: http://www.juliebolder.com/weeds_2010_season_6.htm

  7. One Step Authentication

  8. One Step Authentication

  9. Two Step Something You Know Authentication Something You Have +

  10. Two Step Authentication Something You Have +

  11. Two Step Authentication + PIN

  12. But There is a Problem

  13. Bad User Experience

  14. Bad User Experience

  15. 123456
 password
 12345678
 qwerty
 12345
 123456789
 letmein Source: http://gizmodo.com/the-25-most-popular-passwords-of-2015-were-all-such-id-1753591514 Passwords

  16. A UX Problem

  17. A UX Problem

  18. A UX Problem

  19. https://xkcd.com/936/

  20. Tr0ub4dor&3 https://xkcd.com/936/ 3 days at 1000 guesses per second

  21. https://xkcd.com/936/ 550 years at 1000 guesses per second correct horse

    battery staple

  22. https://xkcd.com/936/ correct horse battery staple but 25 keystrokes

  23. • One “Master” Password • Password Generation • Password Auto-fill

    • Available on Desktop 
 and Mobile Use a Password Manager

  24. • One “Master” Password • Password Generation • Password Auto-fill

    • Available on Desktop 
 and Mobile Use a Password Manager Social Engineering

  25. What about Two Step?

  26. Two Step: One-Time Passwords +

  27. You still have to type in 6 digits every time

    Two Step: One-Time Passwords

  28. Two Step: One-Time Passwords Demo?

  29. Two Step: PKI Smartcards Have to use a SmartCard reader

    and install drivers on every computer Uses a secure element for all cryptographic functions

  30. Source: http://www.notebookcheck.net/Review-Lenovo-ThinkPad-T440p-20AN-006VGE-Notebook.108423.0.html

  31. … is there a solution?

  32. Universal 
 2nd Factor

  33. FIDO Alliance Fast IDentity Online • Formed in 2012 to

    create 
 a new industry standard • Initially worked on a Password-less protocol • U2F started by Google, Yubico and NXP in 2011 and joined FIDO in 2013
  34. None

  35. Universal 2nd Factor

  36. The Promise of U2F It Just Works! * * in

    Google Chrome for now
  37. None
  38. None
  39. None

  40. Stina
 Ehrensvard CEO & Founder

  41. July 2015
 A feature plugin was approved for core.
 https://wordpress.org/plugins/two-factor/

    December 2015
 “We can’t have users lock themselves out” January 2016
 Decided to work only on Application Passwords to meet the 4.5 cycle (April 2016). Join #core-passwords on WordPress Slack! Two Step in WordPress Core
  42. None

  43. https://twofactorauth.org

  44. Get Your U2F Key Yubico.com Coupon Code: wordcamp2016-100yk4

  45. Kaspars Dambis kaspars.net [email protected] A134 BA02 60D4 3F8E ACC8
 89D9

    94F1 3532 A319 EA5D We’re hiring! xwp.co/jobs