Yubikey plugin for WordPress
Opdateret: 17. maj, 2011
This is a plugin for WordPress that provides multifactor authentication with one-time passwords using the Yubikey USB token. The plugin uses the Yubico Web service API in the authentication process.
The one-time password requirement can be enabled on a per user basis.
Your PHP installation must have the Hash and Curl libs enabled, otherwise this plugin won’t work.
Howto:
- Buy a Yubikey.
- Create a Yubico ID & API Key.
- Download, install and activate my Yubikey plugin for WordPress. (goes into wp-content/plugins).
- Enter Key ID on the Users -> Profile and Personal options page.
- Enter Yubico ID & API key on the Settings -> Yubikey options page.
Id/key confused ? Well the Key ID is the first 12 chars from the output Your Yubikey generates, they don’t change, the Yubico ID and API Key is used when communicating with the Yubico authentication server. - That’s it, enjoy the looks of Your new loginbox, and try logging in.
History/Changelog
- 2011-04-14: Styling added to descriptions, thanks to Uwe Moosheimer
- 2011-04-11: German translation by Uwe Moosheimer added
- 2011-04-10: Multiple Yubikeys per account now possible, TAB index on registration page fixed.
- 2009-08-19: Russian translation contributed by M. Comfi
- 2009-02-09: Plugin has been moved to the official plugin directory
- 2008-12-13: Minor CSS change, making things look nicer with WordPress 2.7
- 2008-07-20: API ID & Key moved to a separate optionspage, thanks to Phil Massyn for idea and code.
- 2008-07-02: Plugin will now fail gracefully if Curl or Hash extensions are missing.
- 2008-06-25: Initial version
Hi just ordered a Yubikey but can see that the plugin haven’t been updated in a while is the project dead?
Hi Cronner
No No, I just haven’t updated it to show compatibility with the latest versions yet.
But it’s working
Good to hear, just tried with latest WordPress and it works fine just need a workaround for mobile login?
Yes I know, but how do I securely detect a mobile device, any ideas ?
Also support VeriSign VIP Access for mobile and you got all you need
One question: could it be possible to support two Yubikeys for one account? Would Be good if two person adminstrate via one ‘admin’ account.
Hi,
Just installed your plug-in, so far so good. It’d be nice though if it could do multi-factor authentication. I might have a stab at it later and see what I can do.
I managed to do this easily with the Community-ID OpenID server; basically a user enters their password, then before clicking Login, hits the button on the YubiKey.
Since the Yubico servers only accept a 12-character fixed UserID, the OTP generated is always 44 characters long. substr() is used then to split the user password from OTP, and the two are authenticated separately. A similar approach could work here. As I say I’ll give it a shot at some point and report back.
“if it could do multi-factor authentication” ?? What are you talking about here ?
User + password + Yubikey OTP , how is this NOT multi-factor authentication
One option would be to whitelist a particular IP address detected and not subject it to Yubikey authentication. In an example, on a broadband connection with a static IP address you could allow devices connecting through that IP to pass without the extra authentication. This would allow connections from mobile devices such as tablets and smartphones without hindrance. This would of course add a bit of risk as any desktops you have on that LAN won’t be protected with the yubikey from key Loggers etc. On a side note, the iPad can detect keyboards when you use the Camera Kit for iPad. Anyone tried an iPad with the camera kit and a Yubikey to see if it works?
Can the plugin support multiple yubikeys being associated with an account? I have an “always attached” key on my home desktop, and a “mobile” yubikey that I carry around with me.
The plugin definitely does not support multiple yubikeys per account. I don’t know whether the API itself will support it either.
Can you try to make the use of two yubikeys for one account possible? I don’t know how the plugin/api works but may it is possible to add custom fields for the first key with a corresponding email and for the second key with a second email. This would make the plugin total customizeable?!
Hi, I’ll look into making multiple yubikey support possible.
And sorry for being so slow to respond, I’m having a little trouble with the notification emails when someone posts a comment
Great to hear
Is there allready a timeline for the plugin? Can ypu say when we can expect the new version?
Hi Uwe
I have something ready for test now, if you would like to try it out, please send me an email: henrik at schack dot dk, and I’ll email you a version for testing.
/Henrik
Hi I have installed and configured your plugin and everything works great. However, I cannot access my site with the mobile WordPress version… Do you think it would be possible to add support for the mobile app?
Thanks!
Hi Torrey
Could you point me to the mobile WordPress version ?
And by the way, how would you attach a Yubikey to a mobile device ?
/Henrik
Great plugin idea…just one question. What if disaster struck and I lost my Yubikey and could no longer access my blog? Would I be able to disable the plugin by simply deleting the plugin folder from the plugin directory if i had access to the files via cPanel or http://ftp…? Am just thinking of a worst case scenario here…! Thanks!
Hi Debs
Yes, deleting the plugin from your installation via FTP would work in such a scenario
/Henrik
Excellent – that makes this just perfect!
I’ve noticed that with YubiKey plugin activated and configured, I *can* log in via web browser using username + pass + yubikey (expected), but I *cannot* log in using e.g. the WordPress app for BlackBerry. It reports “bad username/password”
I assume it’s because there’s no way to send the YubiKey OTP and therefore the login always fails.
Any way you could look into this? Thanks
Hi Mike
You could create an additional WordPress user on your blog and NOT attach a Yubikey to this account, thereby allowing the BlackBerry/Android/Iphone apps to be used.
This additional account could be given something less that administrator rights on the blog.
/Henrik
I was wondering if there could be the option of just yubikey – without needing the username/password
Hmm then it wouldn’t be Multifactor authentication anymore. I don’t really like that
But if you’re looking for ease of use and increased security, you could:
1) Uninstall the plugin
2) Configure your Yubikey to be able to generate a static (long) password
3) Use the Yubikey to enter your password.
Would that be a valid option for you ?
/Henrik
Great work my yubikey is on its way in the mail
Has this been tried on the current WP 3.2.1?
I’m not seeing the fields in the user forms for this plugin. Everything else appears normal though.
Skip that. It works fine. I was trying to create a new user as an admin, and not seeing the fields to setup their yubikey. However registering for the user on their behalf through the login page worked fine.
Hi Henrik,
I am using your plugin in my wordpress blogs, great work thank you !
There are some simple / stupid questions, I am sur you could explain it in short words:
1) Can I use _one_ APi key for multiple websites, with different domain-names ?
Or should I use different keys ?
2) I am testing the wordpress “multi-site” function with sub-domains.
Should I use different keys ? Or is the multisite mode not supported ?
Regards
Michael
Hi Michael
1) Yes you can use an API key for multiple sites.
2) I’m not sure if my plugin works in multisite mode, haven’t tried it
Best regards
Henrik Schack
Henrik,
I have tested your plugin in Multisite mode for more than two months.
No problems at all, works fine. Thank YOU !!
Best regards
Michael
Could you patch this to not require the Yubikey when the user is logging in over an API request (such as the Blogger API, XML-RPC request, Atom, etc)? That way mobile apps and other applications that use the API would still work. If you want to be security conscious, hook in a warning on the options page next to the “Enable APIs” box warning that it allows Yubikey security to be overridden.
Also looking for multiple Yubikey support. As a website designer it would be so useful. Right now I can only use it for my own personal sites or those I am developing, would like to roll this out so customers could get keys and keep their sites secure once I pass the sites over to them.
Are you sharing your account with the customer ? That’s a bad idea, give him his own account and let him attach a yubikey to that instead.
Best regards
Henrik Schack
I upgraded to WP 3.3 today and notice that the plugin continues to work for existing users that had it setup, but currently new users do not have the Yubikey fields in the account settings.
Still looking for where the hook-in might be failing.
Also I had to modify instances of the variable “otp” to “Yotp” in order for it to co-exist with the Google Authenticator Plugin. Perhaps you’ll want to customize that variable a little as well. Once done, a user can choose between the two OTP methods.
Hi Craig
Thank you for the bug report, guess I’ll have to do some fixing sometime soon
Best regards
Henrik Schack
The iPad camera connection kit works just fine with Yubikey
Hi Henrik,
You have a function in your code commented as:
“Form handling of Yubikey options on edit profile page (admin user editing other user)”
When we are logged in to a site as admin, we can see the Yubikey options on the Your Profile Page (profile.php) but when we try and add Yubikey credentials to another user, we do not see these options on the Edit User page (user-edit.php).
Is there a way to enable only admins to be able to add / remove the Yubikey so that the end user cannot view/remove their Yubikey. We are trying to enforce Yubikey for all of our websites and clients.
Regards,
Greg
I think to add the Yibikey should be possible for all but to have the ability to delete the Yibukey (on some accounts) only by the admin would be a great thing. The admin could say that on some accounts (employees etc.) the Yibikey is a must have. Great idea but should possible on account base. So users can use it or not but employees must use it
By the way. May it would be a good time to make a pro version for a feature like the “must use Yibikey” option. I think that companies could pay for a plugin like that.
Am I wrong?
I’d pay for a plugin if it was developed well with good functionality and was undergoing ongoing development.
$25/Site, $100/10 Sites, $299/Unlimited Sites? Just to throw a few numbers around.
Greg
Would be ok for me, too.
But Hendrik has to think over that for a pro version there’s no donation.
Companies need to get a receipt
I think I would like to keep things free, actually I’m not sure I’ve ever gotten a donation
But thanks Uwe & Greg, I have something to consider regarding functionality now.
Best regards
Henrik Schack
I can’t believe how easy that was!.. thank you
Oh.. Working, confirmed WP 3.3.1
Q1. Multiple key support if possible please?
Q2. What if I loose my key.. how can I login to disable or change the options?
thank you
A1: if you mean multiple keys for the same account – allready possible.
A2: just delete / move the directory and plugin will be disabled by WordPress
I want and it not an option is used just the OTP for authentication.
Its not working for my website…
I have no idea what to do about the recommended “PHP installation must have the Hash and Curl libs enabled” feature. I am using a modern “Woo” theme.
Hi Henrik,
I am still at a loss why the Yubikey doesn’t work. I even tried a new site with a plain WP Twenty Eleven template. Installed your plugin. Went over to Yubikey and obtained the API. It came back with a 4 digit and a long number below.
On the login screen in WP I entered the static first 12 digits by pressing the key button.
Later I tried by adding the API key ? number to these 12 digits. But that did not work either.
Please help
I have the plugin set up and working but only for one key, I would like to add my second key in as a backup. but in my wordpress install under “Yubikey Plugin Options” I just have the “Yubico API ID” and “Yubico API key” How do I add in mulitipule yubikeys?
Control-panel -> Users
Select your username
Add additional keys
I’m just curious.. I installed Yubikey-Plugin, and it did indeed add the yubikey box and does work when I enter in my password and OTP. However, I also seem to be able to log in with just my Username/Password. Is this intentional? I though the point of having the plugin would be to prevent logging in without two-factor? Thank you for clarifying, and providing this plugin
Not really sure how you make the plugin behave like that ?
It is because he did not enable the KEY for his user profile.
He just enable the API and he thinks that operation binds the key to his account.
Brendan, go in your user profile and add the Yubikey to your user
right now it is not working in your configuration
Tom, you are absolutely right. That was the problem. It is now successfully working with my WordPress install. Thank you Henrik for such a great plugin, and thank you Tom for clarifying the proper configuration of the plugin.
I installed your plugin and setup everything up correctly. However I have several people who also have keys and when I enable yubikey for their users they can not seem to login no matter what I try. Seem the password is not correct. I have gone as far as adding their KEY to my profile and when I use their keys everything works for me.
Does your plugin only support a single user?
I can confirm that the plugin works for several users with different Yubikeys.
Can you check the logfiles? Have you checked how your users made it? Did they enter a password AND the Yubikey?
I wonder if Uwe’s issue is that he’s installed the plugin and has it enabled for all existing users (whose yubikey fields are blank because the account was created before the Yubikey plugin existed).
Thus those users won’t be able to login to add their Yubikey.
Uwe, your fix would be to disable the Yubikey setting in their accounts, but direct them to login and turn it back on, while adding their Yubikeys to the profile settings.
The Yubikey plugin seems more Self-serve/Configure than Administrator configure.
Henrik:
It might be an approach to check if the Yubikey is enabled on an account with empty Yubikey fields. If so prompt them to input their key to update their profile, or send them to update their profile to add keys, or to disable the Yubikey setting on their account.
As a follow on, it would be very nice if those Yubikey fields could be seen in the account profile by WordPress administrators. I know in our case I’m provisioning accounts in WordPress on behalf of internal users. It would be nice if I could add the Yubikey I’m about to assign them to their WordPress account, without me having to login in as each user to see and set those fields.
You misunderstand who’s got the problem.
Not me but Scott
ok I misunderstood that Scott enabled Yubikey for some users without entering a key – that’s no good idea.
The ability to change the Yubikey settings by the administrator would be a good thing. I have the same problem when setting up accounts for our internal users.
Hello,
Great plugin, but is there a way to ENFORCE wp-users to USE the Yubikey? That would be a great option!
thanks!
Hello,
I really like the plugin, thanks for your work on this.
One thing I would like to see is the “tab order” on the login page working correctly. The OTP field is one of the last fields to come up in the tab order, though I would expect it to be in this order: Username, Password, YubiKey OTP. I’ve only tried it with Chrome, so it may be my issue, just thought I would point it out.
For anyone asking if there is a way to enforce users to use the YubiKey, you have to set YubiKey authentication in their profile, along with the key ID.
Cheers,
Jess