Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Two Step WordPress Security
Search
Kaspars
February 22, 2016
Technology
0
74
Two Step WordPress Security
From WordCamp Norway 2016.
Kaspars
February 22, 2016
Tweet
Share
More Decks by Kaspars
See All by Kaspars
WordCamp Oslo 2018: How to Write Better Code Automatically
kasparsd
0
65
How to Write Better Code Automatically
kasparsd
0
60
My Story of Building a Commercial WordPress Plugin
kasparsd
0
80
WordPress REST API un Calypso
kasparsd
0
77
Take Control of Your Widgets
kasparsd
1
980
Other Decks in Technology
See All in Technology
基調講演: 生成AIを活用したアプリケーションの開発手法とは?
asei
1
100
Two-Tower モデルで実現する 検索リランキング / Shibuya_AI_2
visional_engineering_and_design
2
140
名刺メーカーDevグループ 紹介資料
sansan33
PRO
0
770
開発効率と信頼性を両立する Ubieのプラットフォームエンジニアリング
teru0x1
0
120
今からでも間に合う! 生成AI「RAG」再入門 / Re-introduction to RAG in Generative AI
hideakiaoyagi
0
110
堅牢な認証基盤の実現 TypeScriptで代数的データ型を活用する
kakehashi
PRO
1
170
JavaのMCPサーバーで体験するAIエージェントの世界
tatsuya1bm
1
220
Introduction to Bill One Development Engineer
sansan33
PRO
0
250
脅威をモデリングしてMCPのセキュリティ対策を考えよう
flatt_security
1
260
研究開発部メンバーの働き⽅ / Sansan R&D Profile
sansan33
PRO
3
17k
実践Kafka Streams 〜イベント駆動型アーキテクチャを添えて〜
joker1007
3
850
バクラクのモノレポにおける AI Coding のための環境整備と {Roo,Claude} Code活用事例 / AI Coding in Bakuraku's Monorepo: Environment Setup & Case Studies with {Roo, Claude} Code
upamune
8
4.8k
Featured
See All Featured
How to train your dragon (web standard)
notwaldorf
92
6.1k
Speed Design
sergeychernyshev
30
980
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
30
2.4k
Fireside Chat
paigeccino
37
3.5k
StorybookのUI Testing Handbookを読んだ
zakiyama
30
5.8k
BBQ
matthewcrist
89
9.7k
Site-Speed That Sticks
csswizardry
9
620
jQuery: Nuts, Bolts and Bling
dougneiner
63
7.8k
KATA
mclloyd
29
14k
Optimizing for Happiness
mojombo
379
70k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3.3k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
31
1.2k
Transcript
None
Two Step WordPress Security Kaspars Dambis WordCamp Norway /
February 20, 2016
Authentication Authorization Who are you? Authentication What can you do?
Demo: WordPress and Public Key Infrastructure
Authentication Source: http://www.andrews-sykes.com/blog/wp-content/uploads/2014/06/Reception_Metropol.jpg
Authorization Source: http://www.juliebolder.com/weeds_2010_season_6.htm
One Step Authentication
One Step Authentication
Two Step Something You Know Authentication Something You Have +
Two Step Authentication Something You Have +
Two Step Authentication + PIN
But There is a Problem
Bad User Experience
Bad User Experience
123456 password 12345678 qwerty 12345 123456789 letmein Source: http://gizmodo.com/the-25-most-popular-passwords-of-2015-were-all-such-id-1753591514 Passwords
A UX Problem
A UX Problem
A UX Problem
https://xkcd.com/936/
Tr0ub4dor&3 https://xkcd.com/936/ 3 days at 1000 guesses per second
https://xkcd.com/936/ 550 years at 1000 guesses per second correct horse
battery staple
https://xkcd.com/936/ correct horse battery staple but 25 keystrokes
• One “Master” Password • Password Generation • Password Auto-fill
• Available on Desktop and Mobile Use a Password Manager
• One “Master” Password • Password Generation • Password Auto-fill
• Available on Desktop and Mobile Use a Password Manager Social Engineering
What about Two Step?
Two Step: One-Time Passwords +
You still have to type in 6 digits every time
Two Step: One-Time Passwords
Two Step: One-Time Passwords Demo?
Two Step: PKI Smartcards Have to use a SmartCard reader
and install drivers on every computer Uses a secure element for all cryptographic functions
Source: http://www.notebookcheck.net/Review-Lenovo-ThinkPad-T440p-20AN-006VGE-Notebook.108423.0.html
… is there a solution?
Universal 2nd Factor
FIDO Alliance Fast IDentity Online • Formed in 2012 to
create a new industry standard • Initially worked on a Password-less protocol • U2F started by Google, Yubico and NXP in 2011 and joined FIDO in 2013
None
Universal 2nd Factor
The Promise of U2F It Just Works! * * in
Google Chrome for now
None
None
None
Stina Ehrensvard CEO & Founder
July 2015 A feature plugin was approved for core. https://wordpress.org/plugins/two-factor/
December 2015 “We can’t have users lock themselves out” January 2016 Decided to work only on Application Passwords to meet the 4.5 cycle (April 2016). Join #core-passwords on WordPress Slack! Two Step in WordPress Core
None
https://twofactorauth.org
Get Your U2F Key Yubico.com Coupon Code: wordcamp2016-100yk4
Kaspars Dambis kaspars.net
[email protected]
A134 BA02 60D4 3F8E ACC8 89D9
94F1 3532 A319 EA5D We’re hiring! xwp.co/jobs