What is a Universal 2nd Factor (U2F) Physical Security Key? U2F is an authentication standard that lets users securely access their online accounts instantly with a security key – no drivers or client software needed. You just register a physical device with the online service that supports the protocol. It was created by Google and Yubico and now it’s hosted by the FIDO Alliance. Basically, U2F security keys are physical USB keys that look like a flash drive. You can only access your account by tapping the key while it’s plugged in. As an end user, it feels like a dedicated device for 2-Factor Authentication. Instead of using your phone and the Authenticator app, you carry around a physical key. U2F and WordPress SecurityI wanted to give it a go on my site. So I purchased a YubiKey of my own. Seeing as this was an experiment and I am not super technical I wasn’t ready to attack manual set up. I searched for a free plugin option on WordPress.org. The search ended pretty fast. There’s currently not a lot of options or information for WordPress so I went with the most popular free option, Two-Factor. Now armed with my brand new key and the plugin I thought, “this shouldn’t be too hard”. So, how do you use U2F and physical security keys with WordPress?
What are the drawbacks and barriers to entry of Security Keys? While it’s fairly easy to implement there were some drawbacks. This level of security is not free and providing security keys to everyone that needs access to your site could be costly – especially for large teams. Keys vary in price from $20 to $50. Plus, it’s recommended you keep a backup key for each of your users just in case their key is lost, damaged or stolen. If you run a team of 10 that would require 20 keys. Cha-ching. If cost is not prohibitive, the next challenge is that security keys are still not widely adopted. While usage has increased setting-up security keys for other systems can be a painful and lengthy process. The good news is that things are improving and setting up security keys on Google, Facebook or Twitter is fairly straightforward. Another thing to consider for teams or development agencies is management. Keys create a more complicated employee and client onboarding process. It also means finding a point person for setup and recovery. Hello middle managers. Perhaps the most obvious hurdle, you can’t access your site without the security key. This is good for your site’s security but could be bad for convenience. Let’s say you just arrived at work and realized you left your key at home. You can’t call somebody to dictate a one-time password – because, there is no spoon password! This could mean a few more hours of driving, which would negate all the extra seconds you have “stolen away” by using U2F over OTP in a single day. Lastly, Handing out security keys to your WordPress clients could, obviously, be a potential problem. So, why not just roll with One-Time Passcodes (OTP) or 2FA on my phone? These are valid options, but there are some disadvantages. U2F vs OTP’sOne-Time Passcodes (OTP) are short numeric codes that are one-time use and are sent via text messages or generated on a separate physical device. While they are more secure than ordinary passwords, OTP’s aren’t perfect:
Who Are Physical Security Keys Like YubiKeys For? For most WordPress users, Defenders 2FA with Google Authenticator on your phone is more than enough. Dedicated security keys offer dedicated protection against phishing and man-in-the-middle attacks and are arguably faster and easier to use once you set them up and get used to them, but let’s face it, ordinary Joe probably doesn’t really need a YubiKey. That said, if you’re running an agency with multiple administrators on high profile client sites it may be time to consider physical keys for your team. Google’s own U2F case study showed, that on top of becoming a “no-phishing zone”, they also noticed accelerated employee productivity, reduced support compared to phone authentication, and even lower cost of ownership. The benefits of the physical keys multiply with the number of employees/clients using keys and with the number of daily sessions each user commences. Better Solutions for WordPress SecurityU2F is most likely the technology of the future and it is growing rapidly in popularity. But for now, it doesn’t seem to provide enough benefits for small or midsize agencies, at least not for replacing a well-set-up 2FA. If physical keys sound impractical or a bit excessive for your clients, Defender is the best option for securing your WordPress sites. The combination of one-click security tweaks, good password practices, 2-factor Auth along with our forced two-factor authentication for specific user roles, automated cloud backups, and free expert support clean-up is more than enough. What do you think? Do the risks of phishing associated with your phone have you considering physical keys for your WordPress agency? call at wordpress tech support phone number to get best tech support Wordpress is an open source content management system (CMS) which is freely available online. You can build any kind of website very easily on WordPress. For all types of Wordpress Technical Support services you can easily contact us on wordpress tech support phone number +1-877-863-5655. It is toll free and available 24*7. www.wordpresssupport247.com/wordpress-technical-support
0 Comments
Leave a Reply. |