Google Authenticator for WordPress
Opdateret: 2. maj, 2012
The Google Authenticator plugin for WordPress gives you multifactor authentication using the Google Authenticator app for Android/iPhone/Blackberry.
If you’re security aware you may allready have the Google Authenticator app installed, using it for multifactor authentication on your Gmail or Google Apps account.
The multifactor authentication requirement can be enabled on a per user basis, You could enable it for your administrator account, but login as usual with less privileged accounts.
Notice: This plugin requires the SHA1 & SHA256 hashing algorithms to be available in your PHP installation, it’s not possible to activate the plugin without.
Howto
- Install and activate the plugin.
- Enter a description on the Users -> Profile and Personal options page, in the Google Authenticator section.
- Scan the generated QR code with your phone, or enter the secret manually (remember to pick the time based one)
- Remember to hit the Update profile button at the bottom of the page before leaving the Personal options page.
- That’s it, your WordPress blog is now a little more secure.
Screenshots
This is a great plugin and I am now using it on my website.
But, I have a question in my mind. What if I lost my mobile phone, than how will I be able to login to WordPress? Do you have any plans for providing other verification methods like backup codes or something similar that Google provides, in case something like that happens to anybody?
Thanks
I was thinking about the backup code thing when I started out programming the plugin, but then it struck me that perhaps simply deleting/renaming the plugin via FTP or SSH would be a lot easier. What do you think ?
/Henrik Schack
I think that will work too.
Hi Henrik, thanks for writing this. It’s a great plugin.
- David Bullock
Thank you David, and thanks a lot for that nice blogpost of yours.
/Henrik Schack
I installed this and scanned the QR code but the authenticator app said “Invalid token”. I entered the code manually (selecting time counter) but when I tried to login with it, the code generated by the Authenticator app didn’t work. Changed the plugin folder name and disabled it to log back in.
I would like to debug that, would you mind sending me the description you used for your account ? If not here then in an email to henrik at schack dot dk ?
Hi Henrik,
this is a very nice idea for a plugin! I really like it!
I have question though: Where did you learn how the algorithms for Google Authenticator work? Can you point me to a description or documentation?
Thanks!
Tobias
Thanks Tobias
I good startingpoint would be Googles pages about how the stuff works :
http://code.google.com/p/google-authenticator/
or this one :
http://www.brool.com/index.php/using-google-authenticator-for-your-website
Best regards
Henrik Schack
Hi Henrik,
great! Thanks for the links, that helped a lot! After reading the available docs and the looking through the RFC, I have just one remaining question. Maybe you can help me with it:
Where is the length of the secret key of 10 bytes defined? And where does it say that base32 should be used? Where those two things simply chosen by Google for the Authenticator app (and therefore all implementations that want to work with the app need to do it the same), or are those things defined as part of TOTP/HOTP?
Thanks!
Tobias
Hi Tobias
I’m not sure where these things are defined.
But base32, I guess, could have been chosen because it pretty typo-resistant.
Best regards
Henrik Schack
Not sure why but it didn’t work for me. After I enabled the plugin and update the admin user account, I tried to logon using my existing password with the google authenticator code and it still complained about password incorrect. Once I deleted the plugin I am able to logon again.
My guess would be inaccurate time on server or Phone
Best regards
Henrik Schack
Hi Hendrik,
first of all, thanks for the perfect work, the idea of the plugin is great and secure as well! My problem is, that since the update to WordPress 3.2 the plugin seems to get in trouble – every time I try to login I get the error message that my Google Code is not valid anymore or wrong. The only chance I have is to delete your plugin via ftp and then login usually. I reinstalled your plugin, did create a new secret code for my user and scaned it with my phone, with the same result? Do you know anything about that behaviour?
Thanks,
Bent
Hi Bent
I just upgraded one of my WordPress installations to 3.20, I can’t really seem to make my plugin fail..
Are you absolutely sure the time on your server or your phone isn’t drifting ?
Best regards
Henrik Schack
Hi,
I also have no problems with the plugin on WP 3.2 (on several installations). Everything is working as expected.
I also don’t see how the update to WP 3.2 could break the plugin, as (from what I can see) the used mechanisms (plugin filters and actions) for the login procedure did not change from WP 3.1 to WP 3.2.
Now, I don’t know if WP 3.2 changed something in the handling of the server time (it might due to the requirement of PHP 5). But as the plugin only uses the PHP function time() that also not have an effect.
So, as Henrik said, please check if the server time and the time on the phone are correct.
Also (just to make sure): After creating a new secret code, you must click the “Update Profile” button (at the bottom of the page), or the new secret code will not be saved!
Regards,
Tobias
Hi Henrik and Tobias,
I found the problem: My phone (HTC Desire) was getting its time from my cell provider. I checked the time with the very smart tool ClockSync that reported an offset of approx. 30 seconds (which is probably too much for a time based 2 factor authentication).
Yesterday I rooted my device and now I’m able to sync my clock via ntp (with an offset of 0,1 seconds) and everything is working perfect!!!
Maybe you can tell the customers that fact as a hint in the plugin description or in the faq section?
Regards and thanks again for the plugin,
Bent
Hi Bent
I recently updated the FAQ section mentioning the importance of an accurate clock, but perhaps I should elaborate a bit, and mention apps like ClockSync (Thank you for the tip)
Best regards
Henrik Schack
Henrik,
Have you considered an option to check the preceding and following minute for matches?
That would give a 180 second window to dampen the clock drift issues.
If it was selectable as an option, those of us with accurate clocks could disable it for best security, new users could leave it on by default to deal with sloppy clocks.
You could also log or notify admin if the match was on the edge (not against the server time). That would not only cut down on the support issue of “doesn’t work”, and it could notify the admin of a potential problem if they’re not properly syncing their server time.
Best,
Dave
Hi David
Actually I allready do check 30 seconds before and 30 seconds after the “current 30 seconds window”
Best regards
Henrik Schack
I just installed the plugin, but when I scan in the QR code with my iPhone Google Authenticator app, it gives me an error about not being a valid authentication token barcode. Any ideas on how to fix this? Thanks.
Would you mind emailing me the secret (and then please create a new secret) I’ll see If I can figure out what is going on then.
henrik at schack dot dk
Best regards
Henrik Schack
I’ve written a pretty accurate account of how the google TOTP works:
http://www.idontplaydarts.com/2011/07/google-totp-two-factor-authentication-for-php/
The hardest part of the whole implementation is probably the Base32 decode.
Your Google Authenticator for WordPress is great, however currently is very dependent on time-sync (and third party Android time sync apps seem to require root). Google’s libpam-google-authenticator provides an optional relaxed mode where you have a +4/-4 minute sliding window of accepted codes. Which effectively means 17 codes are accepted at any one time. Would you consider adding such option to your WordPress plugin at some point?
Regards,
Pascal de Bruijn
Hi Pascal
Sure, I’ll implement that.
Best regards
Henrik Schack
Hi Pascal
Latest version (0.37) has “relaxed mode” implemented.
Best regards
Henrik Schack
Awesome! Works like a charm!
Henrik, thank you for this plugin. I wanted to suggest a possible option to add. I have required GA for admins, but I leave it off for the majority of my users. But then they find the field confusing on the login screen. Would you consider adding an option to hide the field by default but maybe reveal it with a click so that admins could still enter the code, but normal users don’t see the field? Just a thought.
Hi Michael
Hmm I can see that my link hover text/tooltip isn’t working as I was hoping it would
I do recognize your concern, but I’m not sure halfway hiding the Google Authenticator code field would confuse people less, it could perhaps confuse the users even more this way, guess that depends on the user in question.
How about enlightening people instead ? I guess there is room for a (what is this?) to the right of the “Google Authenticator code” heading.
Best regards
Henrik Schack
Ah! I hadn’t even noticed the tooltip, and unfortunately my users didn’t either.
You’re right about the confusion. I do like the idea of a “What is this?”. It would be ideal if it included something to let users know that if they don’t know what it is, they can ignore it.
The “What is this?” text could popup/display an explanation when clicked.
Would that be OK ?
Best regards
Henrik Schack
Yeah, that would be great. What would be even greater would be the ability to edit what that explanation IS in the admin somewhere! Then I could gear it specifically to my users.
OK, I’ll see what I can come up with, thanks a lot for the feedback
Best regards
Henrik Schack
Hmm, this does not seem to be working for me unfortunately. Everything appears to be working, except it simply won’t log me in
I’m running WordPress trunk on a sub-domained multi-site installation in case that’s of any use in debugging.
I had a flick through the code but couldn’t see anything in particular which was out of place.
Hi Ryan
I don’t really have a multisite installation I can test on
Are you sure your phone < -> webserver time is in sync ?
Best regards
Henrik Schack
Oh! I didn’t click that the server time needed to be in sync. I thought the references to time syncing was referring to ensuring that the authenticator hadn’t timed out before entering the number.
That is most likely the problem then as I assume the times will be out by around five hours or so.
I’m guessing you have set it to work off of the server time itself rather than the users time in WordPress.
A better option would be to use the time zone set within WordPress itself by individual users. This can be set in each users profile page.
If it is based on the server time, then it will unfortunately be unusable for any WordPress installs with multiple users in different time zones.
Great plugin idea. Just not usable for me if that is how it is setup unfortunately. I’ll gladly help promote it for you if it starts using each users individually set time though
A plugin like this is ideal for people like myself who run multi-site networks as we need to be a bit more careful with security than our single site install colleagues.
In the mean time, I might check out your WordPress port of Steve Gibsons paper passwords. I considered writing a plugin for than when I heard Steve and Leo talking about it the other week, but decided not to as I decided that using a Google multi-factor authentication plugin would be more sensible.
Is that a setting available in the Multisite version of WordPress ?
Best regards
Henrik Schack
My apologies. There is no option for that at all unfortunately.
What you can do though is use the site wide time zone set via /wp-admin/options-general.php.
Yes, that’s pretty much what I’ve done.
My server/WordPress installation is in Texas somewhere, having the system time set to Danish timezone.
Best regards
Henrik Schack
Darn. Well I guess it isn’t working for some other reason then
I thought may be it would help if I used the root site for my network in case it was using the time settings for that site within the plugin, but no luck. That didn’t work either
And you are sure the time on the server is synced against some NTP server ?
You could place some tiny PHP script displaying the current time on your server, and check if it matches the time on your phone
Best regards
Henrik Schack
My server time definitely doesn’t match the time on my phone. However time listed in WordPress is accurate.
And your phone time ? How does that compare to what you see in WordPress ?
Oh man! I finally solved it. I was suffering from two problems which were switching on me. I was sometimes using the wrong “description” and sometimes my time was out of whack.
Thanks so much for your assistance. Plugin is working great now
Sorry for taking up so much of your time.
Great you got it running
Best regards
Henrik Schack
Just curious as to how the login works exactly. What I mean is that once I type in the username, password and GA code and I tell WordPress to remember me and tell my browser to save the username and password, how often will I have to retype in the GA code?
I’m testing it on my laptop and it seems it will continue to log me in without having to type in the code, which is perfectly fine, I don’t want to type it in every single time, especially if I haven’t closed my browser.
But is there a time limit? Also, what about a different computer that was already setup to login without having to enter the username and password? Is there some mechanism to make sure the person has to type in the code even if the credentials are saved?
Thanks,
Aseem
Hi Aseem
The codes are only valid for 30 seconds, but the previous and next code are also considered valid, this makes it possible to login even if your server or phone clock is drifting a bit.
Best regards
Henrik Schack
Hi Henrik,
Sorry what I was asking about is when you already have your login info saved? For example, I installed the plugin and then clicked “Remember Me” before clicking login. I also let my browser save my username and password. Now it’s been 2 days and I am able to just click a direct link to my wp-admin section and I don’t have to type in any GA code. I only have to do it when I manually log out of WordPress or when I log into my blog on a new computer that I have not used before. Is that how it’s supposed to work?
Thanks,
Aseem
Hi Aseem
Hmm it sounds like you installed the plugin, but forgot to actually activate it on your account, remember to hit the “Update profile” button at the bottom of the page after scanning the code and checking the “Active” checkbox.
Best regards
Henrik Schack
Does this support authentication via SMS, or just the Android app? I log in to my Gmail account by typing a code I get sent to my phone via SMS.
Hi Daniel
No SMS, Smartphone only, sorry
Best regards
Henrik Schack
Awesome plugin, just installed it on a couple of WP sites I run.
I was getting the ‘Invalid Token’ error message when I tried to scan the QR code (on iPhone) as well, removing spaces from the description seemed to fix it.
Hi Henrik,
Today I have installed Google Authenticator for WordPress and everything went great install wise.
Allthough as soon as I test the module I can just skip the login screen by not entering the OTP.
This baffles me since The Google Authenticator module should block my login attempt.
Have you heard of this before, if so are you familiar with a fix for this strange issue?
Thank you for reading & kind regards,
Luuc
Hi Luuc
Sounds like you didn’t activate it for your account in the user administration
Best regards
Henrik Schack
Hello Henrik,
Thank you for your quick reply!
Actually I did activate Google Authenticator under: ‘Users’ > ‘Lucas’ > ‘Google Authenticator Settings’ > ‘Active = √’.
Is this what you are referring to? If so, what else could I do to fix this?
When I log in, the only way for me to login is to leave the Google Authenticator Field blank.
Thank you again for reading.
Very kind regards,
Lucas.
Hi Lucas
Yes, that’s what I was talking about, hmm really strange, and it doesn’t have something to do with the fact that your blog is in Maintenance mode ? I’ve never seen a problem like the one you’re having before.
Best regards
Henrik Schack
Hi Henrik,
Thanks again for your quick reply, truly fantastic!
Our blog is in Maintenance mode at the moment. Just now I have turned it off to see if it would make a difference, unfortunately it doesn’t. We have also tried restarting our server. This also makes no difference.
If you do not have an answer right away I understand completely.
Thanks again,
Kind regards,
Lucas.
Hi Lucas
I’m a bit lost now
Can I write you an email on the email address you used in this comment system ?
Best regards
Henrik Schack
Hello again Henrik,
Absolutely! If you have the spare time to do so then you are more than welcome!
.
If I can do anything for you to help in finding a solution then please ask
Thusind Tak!
Lucas.
Update for anyone else with the same problem: This was caused by FreeBSD not including the hash_hmac function, and WordPress not falling back to the buildin function.
I had problems with Authenticator not reading QR code. However I removed the spaces from the name and it worked fine.
Cool plugin thanks!
Yes iPhones don’t likes spaces in the description. Android phones don’t mind
Best regards
Henrik Schack
Hi! For web browser it works fine! Unfortunately I can’t login with my WordPress-App (WordPress 2.0 for Android). Is there a solution for that issue?
Hi Tamio
It used to work with the “Enable App Password” feature, something has changed, I’ll have to do some debugging and figure out what. I’ll be back
Best regards
Henrik Schack
Hello again Tamio
Actually, the “Enable App Password” feature still works. But notice you have to generate an app passwords AND hit the update profile button before you can actually use the app password to login.
And you must remember to enable XMP-RPC access/posting (Settings -> Writing)
Best regards
Henrik Schack
Thank you very much! I forgot that there was that feature on the plugin settings page. My fault. Thanks again
Great plug-in!
You might want to set autocomplete=”off” for the input on the login page, so that browsers don’t offer old codes.
Thanks Jürgen
You’re right about autocomplete, wonder how I do that in XHTML ?
Best regards
Henrik Schack