Yubikey plugin for WordPress
Opdateret: 17. maj, 2011
This is a plugin for WordPress that provides multifactor authentication with one-time passwords using the Yubikey USB token. The plugin uses the Yubico Web service API in the authentication process.
The one-time password requirement can be enabled on a per user basis.
Your PHP installation must have the Hash and Curl libs enabled, otherwise this plugin won’t work.
Howto:
- Buy a Yubikey.
- Create a Yubico ID & API Key.
- Download, install and activate my Yubikey plugin for WordPress. (goes into wp-content/plugins).
- Enter Key ID on the Users -> Profile and Personal options page.
- Enter Yubico ID & API key on the Settings -> Yubikey options page.
Id/key confused ? Well the Key ID is the first 12 chars from the output Your Yubikey generates, they don’t change, the Yubico ID and API Key is used when communicating with the Yubico authentication server. - That’s it, enjoy the looks of Your new loginbox, and try logging in.
History/Changelog
- 2011-04-14: Styling added to descriptions, thanks to Uwe Moosheimer
- 2011-04-11: German translation by Uwe Moosheimer added
- 2011-04-10: Multiple Yubikeys per account now possible, TAB index on registration page fixed.
- 2009-08-19: Russian translation contributed by M. Comfi
- 2009-02-09: Plugin has been moved to the official plugin directory
- 2008-12-13: Minor CSS change, making things look nicer with WordPress 2.7
- 2008-07-20: API ID & Key moved to a separate optionspage, thanks to Phil Massyn for idea and code.
- 2008-07-02: Plugin will now fail gracefully if Curl or Hash extensions are missing.
- 2008-06-25: Initial version
Hi just ordered a Yubikey but can see that the plugin haven’t been updated in a while is the project dead?
Hi Cronner
No No, I just haven’t updated it to show compatibility with the latest versions yet.
But it’s working
Good to hear, just tried with latest WordPress and it works fine just need a workaround for mobile login?
Yes I know, but how do I securely detect a mobile device, any ideas ?
Also support VeriSign VIP Access for mobile and you got all you need
One question: could it be possible to support two Yubikeys for one account? Would Be good if two person adminstrate via one ‘admin’ account.
Hi,
Just installed your plug-in, so far so good. It’d be nice though if it could do multi-factor authentication. I might have a stab at it later and see what I can do.
I managed to do this easily with the Community-ID OpenID server; basically a user enters their password, then before clicking Login, hits the button on the YubiKey.
Since the Yubico servers only accept a 12-character fixed UserID, the OTP generated is always 44 characters long. substr() is used then to split the user password from OTP, and the two are authenticated separately. A similar approach could work here. As I say I’ll give it a shot at some point and report back.
“if it could do multi-factor authentication” ?? What are you talking about here ?
User + password + Yubikey OTP , how is this NOT multi-factor authentication
One option would be to whitelist a particular IP address detected and not subject it to Yubikey authentication. In an example, on a broadband connection with a static IP address you could allow devices connecting through that IP to pass without the extra authentication. This would allow connections from mobile devices such as tablets and smartphones without hindrance. This would of course add a bit of risk as any desktops you have on that LAN won’t be protected with the yubikey from key Loggers etc. On a side note, the iPad can detect keyboards when you use the Camera Kit for iPad. Anyone tried an iPad with the camera kit and a Yubikey to see if it works?
Can the plugin support multiple yubikeys being associated with an account? I have an “always attached” key on my home desktop, and a “mobile” yubikey that I carry around with me.
The plugin definitely does not support multiple yubikeys per account. I don’t know whether the API itself will support it either.
Can you try to make the use of two yubikeys for one account possible? I don’t know how the plugin/api works but may it is possible to add custom fields for the first key with a corresponding email and for the second key with a second email. This would make the plugin total customizeable?!
Hi, I’ll look into making multiple yubikey support possible.
And sorry for being so slow to respond, I’m having a little trouble with the notification emails when someone posts a comment
Great to hear
Is there allready a timeline for the plugin? Can ypu say when we can expect the new version?
Hi Uwe
I have something ready for test now, if you would like to try it out, please send me an email: henrik at schack dot dk, and I’ll email you a version for testing.
/Henrik
Hi I have installed and configured your plugin and everything works great. However, I cannot access my site with the mobile WordPress version… Do you think it would be possible to add support for the mobile app?
Thanks!
Hi Torrey
Could you point me to the mobile WordPress version ?
And by the way, how would you attach a Yubikey to a mobile device ?
/Henrik
Great plugin idea…just one question. What if disaster struck and I lost my Yubikey and could no longer access my blog? Would I be able to disable the plugin by simply deleting the plugin folder from the plugin directory if i had access to the files via cPanel or http://ftp…? Am just thinking of a worst case scenario here…! Thanks!
Hi Debs
Yes, deleting the plugin from your installation via FTP would work in such a scenario
/Henrik
Excellent – that makes this just perfect!
I’ve noticed that with YubiKey plugin activated and configured, I *can* log in via web browser using username + pass + yubikey (expected), but I *cannot* log in using e.g. the WordPress app for BlackBerry. It reports “bad username/password”
I assume it’s because there’s no way to send the YubiKey OTP and therefore the login always fails.
Any way you could look into this? Thanks
Hi Mike
You could create an additional WordPress user on your blog and NOT attach a Yubikey to this account, thereby allowing the BlackBerry/Android/Iphone apps to be used.
This additional account could be given something less that administrator rights on the blog.
/Henrik
I was wondering if there could be the option of just yubikey – without needing the username/password
Hmm then it wouldn’t be Multifactor authentication anymore. I don’t really like that
But if you’re looking for ease of use and increased security, you could:
1) Uninstall the plugin
2) Configure your Yubikey to be able to generate a static (long) password
3) Use the Yubikey to enter your password.
Would that be a valid option for you ?
/Henrik
Great work my yubikey is on its way in the mail
Has this been tried on the current WP 3.2.1?
I’m not seeing the fields in the user forms for this plugin. Everything else appears normal though.
Skip that. It works fine. I was trying to create a new user as an admin, and not seeing the fields to setup their yubikey. However registering for the user on their behalf through the login page worked fine.
Hi Henrik,
I am using your plugin in my wordpress blogs, great work thank you !
There are some simple / stupid questions, I am sur you could explain it in short words:
1) Can I use _one_ APi key for multiple websites, with different domain-names ?
Or should I use different keys ?
2) I am testing the wordpress “multi-site” function with sub-domains.
Should I use different keys ? Or is the multisite mode not supported ?
Regards
Michael
Hi Michael
1) Yes you can use an API key for multiple sites.
2) I’m not sure if my plugin works in multisite mode, haven’t tried it
Best regards
Henrik Schack
Henrik,
I have tested your plugin in Multisite mode for more than two months.
No problems at all, works fine. Thank YOU !!
Best regards
Michael
Could you patch this to not require the Yubikey when the user is logging in over an API request (such as the Blogger API, XML-RPC request, Atom, etc)? That way mobile apps and other applications that use the API would still work. If you want to be security conscious, hook in a warning on the options page next to the “Enable APIs” box warning that it allows Yubikey security to be overridden.
Also looking for multiple Yubikey support. As a website designer it would be so useful. Right now I can only use it for my own personal sites or those I am developing, would like to roll this out so customers could get keys and keep their sites secure once I pass the sites over to them.
Are you sharing your account with the customer ? That’s a bad idea, give him his own account and let him attach a yubikey to that instead.
Best regards
Henrik Schack
I upgraded to WP 3.3 today and notice that the plugin continues to work for existing users that had it setup, but currently new users do not have the Yubikey fields in the account settings.
Still looking for where the hook-in might be failing.
Also I had to modify instances of the variable “otp” to “Yotp” in order for it to co-exist with the Google Authenticator Plugin. Perhaps you’ll want to customize that variable a little as well. Once done, a user can choose between the two OTP methods.
Hi Craig
Thank you for the bug report, guess I’ll have to do some fixing sometime soon
Best regards
Henrik Schack
The iPad camera connection kit works just fine with Yubikey
Hi Henrik,
You have a function in your code commented as:
“Form handling of Yubikey options on edit profile page (admin user editing other user)”
When we are logged in to a site as admin, we can see the Yubikey options on the Your Profile Page (profile.php) but when we try and add Yubikey credentials to another user, we do not see these options on the Edit User page (user-edit.php).
Is there a way to enable only admins to be able to add / remove the Yubikey so that the end user cannot view/remove their Yubikey. We are trying to enforce Yubikey for all of our websites and clients.
Regards,
Greg
I think to add the Yibikey should be possible for all but to have the ability to delete the Yibukey (on some accounts) only by the admin would be a great thing. The admin could say that on some accounts (employees etc.) the Yibikey is a must have. Great idea but should possible on account base. So users can use it or not but employees must use it
By the way. May it would be a good time to make a pro version for a feature like the “must use Yibikey” option. I think that companies could pay for a plugin like that.
Am I wrong?
I’d pay for a plugin if it was developed well with good functionality and was undergoing ongoing development.
$25/Site, $100/10 Sites, $299/Unlimited Sites? Just to throw a few numbers around.
Greg
Would be ok for me, too.
But Hendrik has to think over that for a pro version there’s no donation.
Companies need to get a receipt
I think I would like to keep things free, actually I’m not sure I’ve ever gotten a donation
But thanks Uwe & Greg, I have something to consider regarding functionality now.
Best regards
Henrik Schack
I can’t believe how easy that was!.. thank you
Oh.. Working, confirmed WP 3.3.1
Q1. Multiple key support if possible please?
Q2. What if I loose my key.. how can I login to disable or change the options?
thank you
A1: if you mean multiple keys for the same account – allready possible.
A2: just delete / move the directory and plugin will be disabled by WordPress