Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Two Step WordPress Security

Avatar for Kaspars Kaspars
February 22, 2016
Technology
0
81

Two Step WordPress Security

From WordCamp Norway 2016.

Avatar for Kaspars

Kaspars

February 22, 2016
Tweet

More Decks by Kaspars

See All by Kaspars
WordCamp Oslo 2018: How to Write Better Code Automatically
Avatar for Kaspars kasparsd
0
68
How to Write Better Code Automatically
Avatar for Kaspars kasparsd
0
63
My Story of Building a Commercial WordPress Plugin
Avatar for Kaspars kasparsd
0
88
WordPress REST API un Calypso
Avatar for Kaspars kasparsd
0
83
Take Control of Your Widgets
Avatar for Kaspars kasparsd
1
1k

Other Decks in Technology

See All in Technology
Claude_CodeでSEOを最適化する_AI_Ops_Community_Vol.2__マーケティングx_AIはここまで進化した.pdf
Avatar for 小笠原理久 riku_423
2
450
FinTech SREのAWSサービス活用/Leveraging AWS Services in FinTech SRE
Avatar for maaaato maaaato
0
120
なぜ今、コスト最適化(倹約)が必要なのか? ~AWSでのコスト最適化の進め方「目的編」~
Avatar for Hayato Tan htan
1
110
SREじゃなかった僕らがenablingを通じて「SRE実践者」になるまでのリアル / SRE Kaigi 2026
Avatar for AEON aeonpeople
6
2.1k
外部キー制約の知っておいて欲しいこと - RDBMSを正しく使うために必要なこと / FOREIGN KEY Night
Avatar for soudai sone soudai
PRO
12
4.7k
使いにくいの壁を突破する
Avatar for SansanTech sansantech
PRO
1
120
Digitization部 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
1
6.8k
フルカイテン株式会社 エンジニア向け採用資料
Avatar for FULL KAITEN fullkaiten
0
10k
Contract One Engineering Unit 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
0
13k
Amazon S3 Vectorsを使って資格勉強用AIエージェントを構築してみた
Avatar for usanchuu usanchuu
3
430
オープンウェイトのLLMリランカーを契約書で評価する / searchtechjp
Avatar for Sansan R&D sansan_randd
3
650
名刺メーカーDevグループ 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
0
1k

Featured

See All Featured
jQuery: Nuts, Bolts and Bling
Avatar for Doug Neiner dougneiner
65
8.4k
Evolving SEO for Evolving Search Engines
Avatar for Ryan Jones ryanjones
0
120
Self-Hosted WebAssembly Runtime for Runtime-Neutral Checkpoint/Restore in Edge–Cloud Continuum
Avatar for Yuki Nakata chikuwait chikuwait
0
320
Groundhog Day: Seeking Process in Gaming for Health
Avatar for Sebastian Deterding codingconduct
0
90
BBQ
Avatar for Matthew Crist matthewcrist
89
10k
Git: the NoSQL Database
Avatar for Brandon Keepers bkeepers
PRO
432
66k
Why You Should Never Use an ORM
Avatar for John Nunemaker jnunemaker
PRO
61
9.7k
How People are Using Generative and Agentic AI to Supercharge Their Products, Projects, Services and Value Streams Today
Avatar for Helen Beal helenjbeal
1
120
Navigating the moral maze — ethical principles for Al-driven product design
Avatar for Skipper Chong Warson skipperchong
2
240
How Fast Is Fast Enough? [PerfNow 2025]
Avatar for Tammy Everts tammyeverts
3
450
Paper Plane (Part 1)
Avatar for Katie Cordina Lindsey katiecoart
PRO
0
4k
Done Done
Avatar for chrislema chrislema
186
16k

Transcript

  1. None

  2. Two Step 
 WordPress Security Kaspars Dambis WordCamp Norway /

    February 20, 2016

  3. Authentication Authorization Who are you? Authentication What can you do?

  4. Demo: WordPress and
 Public Key Infrastructure

  5. Authentication Source: http://www.andrews-sykes.com/blog/wp-content/uploads/2014/06/Reception_Metropol.jpg

  6. Authorization Source: http://www.juliebolder.com/weeds_2010_season_6.htm

  7. One Step Authentication

  8. One Step Authentication

  9. Two Step Something You Know Authentication Something You Have +

  10. Two Step Authentication Something You Have +

  11. Two Step Authentication + PIN

  12. But There is a Problem

  13. Bad User Experience

  14. Bad User Experience

  15. 123456
 password
 12345678
 qwerty
 12345
 123456789
 letmein Source: http://gizmodo.com/the-25-most-popular-passwords-of-2015-were-all-such-id-1753591514 Passwords

  16. A UX Problem

  17. A UX Problem

  18. A UX Problem

  19. https://xkcd.com/936/

  20. Tr0ub4dor&3 https://xkcd.com/936/ 3 days at 1000 guesses per second

  21. https://xkcd.com/936/ 550 years at 1000 guesses per second correct horse

    battery staple

  22. https://xkcd.com/936/ correct horse battery staple but 25 keystrokes

  23. • One “Master” Password • Password Generation • Password Auto-fill

    • Available on Desktop 
 and Mobile Use a Password Manager

  24. • One “Master” Password • Password Generation • Password Auto-fill

    • Available on Desktop 
 and Mobile Use a Password Manager Social Engineering

  25. What about Two Step?

  26. Two Step: One-Time Passwords +

  27. You still have to type in 6 digits every time

    Two Step: One-Time Passwords

  28. Two Step: One-Time Passwords Demo?

  29. Two Step: PKI Smartcards Have to use a SmartCard reader

    and install drivers on every computer Uses a secure element for all cryptographic functions

  30. Source: http://www.notebookcheck.net/Review-Lenovo-ThinkPad-T440p-20AN-006VGE-Notebook.108423.0.html

  31. … is there a solution?

  32. Universal 
 2nd Factor

  33. FIDO Alliance Fast IDentity Online • Formed in 2012 to

    create 
 a new industry standard • Initially worked on a Password-less protocol • U2F started by Google, Yubico and NXP in 2011 and joined FIDO in 2013
  34. None

  35. Universal 2nd Factor

  36. The Promise of U2F It Just Works! * * in

    Google Chrome for now
  37. None
  38. None
  39. None

  40. Stina
 Ehrensvard CEO & Founder

  41. July 2015
 A feature plugin was approved for core.
 https://wordpress.org/plugins/two-factor/

    December 2015
 “We can’t have users lock themselves out” January 2016
 Decided to work only on Application Passwords to meet the 4.5 cycle (April 2016). Join #core-passwords on WordPress Slack! Two Step in WordPress Core
  42. None

  43. https://twofactorauth.org

  44. Get Your U2F Key Yubico.com Coupon Code: wordcamp2016-100yk4

  45. Kaspars Dambis kaspars.net [email protected] A134 BA02 60D4 3F8E ACC8
 89D9

    94F1 3532 A319 EA5D We’re hiring! xwp.co/jobs