Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Two Step WordPress Security

Avatar for Kaspars Kaspars
February 22, 2016
Technology
0
78

Two Step WordPress Security

From WordCamp Norway 2016.

Avatar for Kaspars

Kaspars

February 22, 2016
Tweet

More Decks by Kaspars

See All by Kaspars
WordCamp Oslo 2018: How to Write Better Code Automatically
Avatar for Kaspars kasparsd
0
66
How to Write Better Code Automatically
Avatar for Kaspars kasparsd
0
62
My Story of Building a Commercial WordPress Plugin
Avatar for Kaspars kasparsd
0
83
WordPress REST API un Calypso
Avatar for Kaspars kasparsd
0
81
Take Control of Your Widgets
Avatar for Kaspars kasparsd
1
1k

Other Decks in Technology

See All in Technology
MagicPod導入から半年、オープンロジQAチームで実際にやったこと
Avatar for joko tjoko
0
110
新アイテムをどう使っていくか?みんなであーだこーだ言ってみよう / 20250911-rpi-jam-tokyo
Avatar for Akira Ouchi akkiesoft
0
350
Claude Code でアプリ開発をオートパイロットにするためのTips集 Zennの場合 / Claude Code Tips in Zenn
Avatar for Yusuke Wada wadayusuke
5
2.3k
Evolución del razonamiento matemático de GPT-4.1 a GPT-5 - Data Aventura Summit 2025 & VSCode DevDays
Avatar for Lautaro Carro lauchacarro
0
210
CDK CLIで使ってたあの機能、CDK Toolkit Libraryではどうやるの?
Avatar for Makky12 smt7174
4
190
共有と分離 - Compose Multiplatform "本番導入" の設計指針
Avatar for Ryo WATANABE error96num
2
1.2k
S3アクセス制御の設計ポイント
Avatar for tommy tommy0124
3
210
[ JAWS-UG 東京 CommunityBuilders Night #2 ]SlackとAmazon Q Developerで 運用効率化を模索する
Avatar for sh_fk2 sh_fk2
3
460
JTCにおける内製×スクラム開発への挑戦〜内製化率95%達成の舞台裏/JTC's challenge of in-house development with Scrum
Avatar for AEON aeonpeople
0
270
Wantedlyの開発組織における生成AIの浸透プロジェクトについて
Avatar for kojiro tominaga kotominaga
2
110
AWSを利用する上で知っておきたい名前解決のはなし(10分版)
Avatar for nagisa_53 nagisa53
10
3.2k
EncryptedSharedPreferences が deprecated になっちゃった!どうしよう! / Oh no! EncryptedSharedPreferences has been deprecated! What should I do?
Avatar for Yuki Anzai yanzm
0
500

Featured

See All Featured
Into the Great Unknown - MozCon
Avatar for Noah Learner thekraken
40
2k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
229
22k
Embracing the Ebb and Flow
Avatar for Simon Collison colly
87
4.8k
How STYLIGHT went responsive
Avatar for nonsquared nonsquared
100
5.8k
Build your cross-platform service in a week with App Engine
Avatar for Jose L jlugia
231
18k
Learning to Love Humans: Emotional Interface Design
Avatar for Aarron Walter aarron
273
40k
Building Flexible Design Systems
Avatar for Yesenia Perez-Cruz yeseniaperezcruz
329
39k
Easily Structure & Communicate Ideas using Wireframe
Avatar for Afnizar Nur Ghifari afnizarnur
194
16k
The Straight Up "How To Draw Better" Workshop
Avatar for Dennis Kardys denniskardys
236
140k
Performance Is Good for Brains [We Love Speed 2024]
Avatar for Tammy Everts tammyeverts
12
1.1k
Agile that works and the tools we love
Avatar for Rasmus Luckow-Nielsen rasmusluckow
330
21k
Helping Users Find Their Own Way: Creating Modern Search Experiences
Avatar for Dan Newman danielanewman
29
2.9k

Transcript

  1. None

  2. Two Step 
 WordPress Security Kaspars Dambis WordCamp Norway /

    February 20, 2016

  3. Authentication Authorization Who are you? Authentication What can you do?

  4. Demo: WordPress and
 Public Key Infrastructure

  5. Authentication Source: http://www.andrews-sykes.com/blog/wp-content/uploads/2014/06/Reception_Metropol.jpg

  6. Authorization Source: http://www.juliebolder.com/weeds_2010_season_6.htm

  7. One Step Authentication

  8. One Step Authentication

  9. Two Step Something You Know Authentication Something You Have +

  10. Two Step Authentication Something You Have +

  11. Two Step Authentication + PIN

  12. But There is a Problem

  13. Bad User Experience

  14. Bad User Experience

  15. 123456
 password
 12345678
 qwerty
 12345
 123456789
 letmein Source: http://gizmodo.com/the-25-most-popular-passwords-of-2015-were-all-such-id-1753591514 Passwords

  16. A UX Problem

  17. A UX Problem

  18. A UX Problem

  19. https://xkcd.com/936/

  20. Tr0ub4dor&3 https://xkcd.com/936/ 3 days at 1000 guesses per second

  21. https://xkcd.com/936/ 550 years at 1000 guesses per second correct horse

    battery staple

  22. https://xkcd.com/936/ correct horse battery staple but 25 keystrokes

  23. • One “Master” Password • Password Generation • Password Auto-fill

    • Available on Desktop 
 and Mobile Use a Password Manager

  24. • One “Master” Password • Password Generation • Password Auto-fill

    • Available on Desktop 
 and Mobile Use a Password Manager Social Engineering

  25. What about Two Step?

  26. Two Step: One-Time Passwords +

  27. You still have to type in 6 digits every time

    Two Step: One-Time Passwords

  28. Two Step: One-Time Passwords Demo?

  29. Two Step: PKI Smartcards Have to use a SmartCard reader

    and install drivers on every computer Uses a secure element for all cryptographic functions

  30. Source: http://www.notebookcheck.net/Review-Lenovo-ThinkPad-T440p-20AN-006VGE-Notebook.108423.0.html

  31. … is there a solution?

  32. Universal 
 2nd Factor

  33. FIDO Alliance Fast IDentity Online • Formed in 2012 to

    create 
 a new industry standard • Initially worked on a Password-less protocol • U2F started by Google, Yubico and NXP in 2011 and joined FIDO in 2013
  34. None

  35. Universal 2nd Factor

  36. The Promise of U2F It Just Works! * * in

    Google Chrome for now
  37. None
  38. None
  39. None

  40. Stina
 Ehrensvard CEO & Founder

  41. July 2015
 A feature plugin was approved for core.
 https://wordpress.org/plugins/two-factor/

    December 2015
 “We can’t have users lock themselves out” January 2016
 Decided to work only on Application Passwords to meet the 4.5 cycle (April 2016). Join #core-passwords on WordPress Slack! Two Step in WordPress Core
  42. None

  43. https://twofactorauth.org

  44. Get Your U2F Key Yubico.com Coupon Code: wordcamp2016-100yk4

  45. Kaspars Dambis kaspars.net [email protected] A134 BA02 60D4 3F8E ACC8
 89D9

    94F1 3532 A319 EA5D We’re hiring! xwp.co/jobs