Yubikey plugin for WordPress

Yubikey This is a plugin for WordPress that provides multifactor authentication with one-time passwords using the Yubikey USB token. The plugin uses the Yubico Web service API in the authentication process.
The one-time password requirement can be enabled on a per user basis.
Your PHP installation must have the Hash and Curl libs enabled, otherwise this plugin won’t work.


Howto:

  1. Buy a Yubikey.
  2. Create a Yubico ID & API Key.
  3. Download, install and activate my Yubikey plugin for WordPress. (goes into wp-content/plugins).
  4. Enter Key ID on the Users -> Profile and Personal options page.
  5. Enter Yubico ID & API key on the Settings -> Yubikey options page.
    Id/key confused ? Well the Key ID is the first 12 chars from the output Your Yubikey generates, they don’t change, the Yubico ID and API Key is used when communicating with the Yubico authentication server.
  6. That’s it, enjoy the looks of Your new loginbox, and try logging in.

History/Changelog

  • 2011-04-14: Styling added to descriptions, thanks to Uwe Moosheimer
  • 2011-04-11: German translation by Uwe Moosheimer added
  • 2011-04-10: Multiple Yubikeys per account now possible, TAB index on registration page fixed.
  • 2009-08-19: Russian translation contributed by M. Comfi
  • 2009-02-09: Plugin has been moved to the official plugin directory
  • 2008-12-13: Minor CSS change, making things look nicer with WordPress 2.7
  • 2008-07-20: API ID & Key moved to a separate optionspage, thanks to Phil Massyn for idea and code.
  • 2008-07-02: Plugin will now fail gracefully if Curl or Hash extensions are missing.
  • 2008-06-25: Initial version

94 kommentarer til “Yubikey plugin for WordPress

  1. Cronner siger:

    Hi just ordered a Yubikey but can see that the plugin haven’t been updated in a while is the project dead?

  2. Henrik Schack siger:

    Hi Cronner
    No No, I just haven’t updated it to show compatibility with the latest versions yet.
    But it’s working πŸ™‚

  3. Cronner siger:

    Good to hear, just tried with latest WordPress and it works fine just need a workaround for mobile login?

  4. Uwe siger:

    Also support VeriSign VIP Access for mobile and you got all you need πŸ™‚

    One question: could it be possible to support two Yubikeys for one account? Would Be good if two person adminstrate via one ‘admin’ account.

  5. Hi,

    Just installed your plug-in, so far so good. It’d be nice though if it could do multi-factor authentication. I might have a stab at it later and see what I can do.

    I managed to do this easily with the Community-ID OpenID server; basically a user enters their password, then before clicking Login, hits the button on the YubiKey.

    Since the Yubico servers only accept a 12-character fixed UserID, the OTP generated is always 44 characters long. substr() is used then to split the user password from OTP, and the two are authenticated separately. A similar approach could work here. As I say I’ll give it a shot at some point and report back.

  6. Hayden siger:

    One option would be to whitelist a particular IP address detected and not subject it to Yubikey authentication. In an example, on a broadband connection with a static IP address you could allow devices connecting through that IP to pass without the extra authentication. This would allow connections from mobile devices such as tablets and smartphones without hindrance. This would of course add a bit of risk as any desktops you have on that LAN won’t be protected with the yubikey from key Loggers etc. On a side note, the iPad can detect keyboards when you use the Camera Kit for iPad. Anyone tried an iPad with the camera kit and a Yubikey to see if it works?

  7. Dan Q siger:

    Can the plugin support multiple yubikeys being associated with an account? I have an “always attached” key on my home desktop, and a “mobile” yubikey that I carry around with me.

  8. Hayden siger:

    The plugin definitely does not support multiple yubikeys per account. I don’t know whether the API itself will support it either.

  9. Uwe siger:

    Can you try to make the use of two yubikeys for one account possible? I don’t know how the plugin/api works but may it is possible to add custom fields for the first key with a corresponding email and for the second key with a second email. This would make the plugin total customizeable?!

  10. Henrik Schack siger:

    Hi, I’ll look into making multiple yubikey support possible.
    And sorry for being so slow to respond, I’m having a little trouble with the notification emails when someone posts a comment πŸ™

  11. Uwe siger:

    Great to hear πŸ™‚

  12. Uwe siger:

    Is there allready a timeline for the plugin? Can ypu say when we can expect the new version?

    • Henrik Schack siger:

      Hi Uwe
      I have something ready for test now, if you would like to try it out, please send me an email: henrik at schack dot dk, and I’ll email you a version for testing.

      /Henrik

  13. Torrey Braman siger:

    Hi I have installed and configured your plugin and everything works great. However, I cannot access my site with the mobile WordPress version… Do you think it would be possible to add support for the mobile app?

    Thanks!

  14. Debs siger:

    Great plugin idea…just one question. What if disaster struck and I lost my Yubikey and could no longer access my blog? Would I be able to disable the plugin by simply deleting the plugin folder from the plugin directory if i had access to the files via cPanel or http://ftp…? Am just thinking of a worst case scenario here…! Thanks!

  15. Debs siger:

    Excellent – that makes this just perfect! πŸ˜‰

  16. Mike B siger:

    I’ve noticed that with YubiKey plugin activated and configured, I *can* log in via web browser using username + pass + yubikey (expected), but I *cannot* log in using e.g. the WordPress app for BlackBerry. It reports “bad username/password”

    I assume it’s because there’s no way to send the YubiKey OTP and therefore the login always fails.

    Any way you could look into this? Thanks πŸ™‚

    • Henrik Schack siger:

      Hi Mike
      You could create an additional WordPress user on your blog and NOT attach a Yubikey to this account, thereby allowing the BlackBerry/Android/Iphone apps to be used.

      This additional account could be given something less that administrator rights on the blog.

      /Henrik

  17. James siger:

    I was wondering if there could be the option of just yubikey – without needing the username/password

    • Henrik Schack siger:

      Hmm then it wouldn’t be Multifactor authentication anymore. I don’t really like that πŸ™‚
      But if you’re looking for ease of use and increased security, you could:
      1) Uninstall the plugin
      2) Configure your Yubikey to be able to generate a static (long) password
      3) Use the Yubikey to enter your password.

      Would that be a valid option for you ?

      /Henrik

  18. Nicolai siger:

    Great work my yubikey is on its way in the mail πŸ™‚

  19. cbowers siger:

    Has this been tried on the current WP 3.2.1?
    I’m not seeing the fields in the user forms for this plugin. Everything else appears normal though.

  20. cbowers siger:

    Skip that. It works fine. I was trying to create a new user as an admin, and not seeing the fields to setup their yubikey. However registering for the user on their behalf through the login page worked fine.

  21. Mikel siger:

    Hi Henrik,
    I am using your plugin in my wordpress blogs, great work thank you !
    There are some simple / stupid questions, I am sur you could explain it in short words:

    1) Can I use _one_ APi key for multiple websites, with different domain-names ?
    Or should I use different keys ?

    2) I am testing the wordpress “multi-site” function with sub-domains.
    Should I use different keys ? Or is the multisite mode not supported ?

    Regards
    Michael

    • Henrik Schack siger:

      Hi Michael
      1) Yes you can use an API key for multiple sites.
      2) I’m not sure if my plugin works in multisite mode, haven’t tried it πŸ™

      Best regards
      Henrik Schack

      • Mikel siger:

        Henrik,
        I have tested your plugin in Multisite mode for more than two months.
        No problems at all, works fine. Thank YOU !!

        Best regards
        Michael

  22. Josh Surber siger:

    Could you patch this to not require the Yubikey when the user is logging in over an API request (such as the Blogger API, XML-RPC request, Atom, etc)? That way mobile apps and other applications that use the API would still work. If you want to be security conscious, hook in a warning on the options page next to the “Enable APIs” box warning that it allows Yubikey security to be overridden.

  23. S siger:

    Also looking for multiple Yubikey support. As a website designer it would be so useful. Right now I can only use it for my own personal sites or those I am developing, would like to roll this out so customers could get keys and keep their sites secure once I pass the sites over to them.

  24. Henrik Schack siger:

    Are you sharing your account with the customer ? That’s a bad idea, give him his own account and let him attach a yubikey to that instead.

    Best regards
    Henrik Schack

  25. Craig Bowers siger:

    I upgraded to WP 3.3 today and notice that the plugin continues to work for existing users that had it setup, but currently new users do not have the Yubikey fields in the account settings.

    Still looking for where the hook-in might be failing.

    Also I had to modify instances of the variable “otp” to “Yotp” in order for it to co-exist with the Google Authenticator Plugin. Perhaps you’ll want to customize that variable a little as well. Once done, a user can choose between the two OTP methods.

  26. Henrik Schack siger:

    Hi Craig
    Thank you for the bug report, guess I’ll have to do some fixing sometime soon πŸ™‚

    Best regards
    Henrik Schack

  27. Smokemonkey siger:

    The iPad camera connection kit works just fine with Yubikey

  28. Greg Lipschitz siger:

    Hi Henrik,

    You have a function in your code commented as:
    “Form handling of Yubikey options on edit profile page (admin user editing other user)”

    When we are logged in to a site as admin, we can see the Yubikey options on the Your Profile Page (profile.php) but when we try and add Yubikey credentials to another user, we do not see these options on the Edit User page (user-edit.php).

    Is there a way to enable only admins to be able to add / remove the Yubikey so that the end user cannot view/remove their Yubikey. We are trying to enforce Yubikey for all of our websites and clients.

    Regards,

    Greg

  29. Uwe siger:

    I think to add the Yibikey should be possible for all but to have the ability to delete the Yibukey (on some accounts) only by the admin would be a great thing. The admin could say that on some accounts (employees etc.) the Yibikey is a must have. Great idea but should possible on account base. So users can use it or not but employees must use it πŸ™‚

  30. Uwe siger:

    By the way. May it would be a good time to make a pro version for a feature like the “must use Yibikey” option. I think that companies could pay for a plugin like that.
    Am I wrong?

  31. Greg Lipschitz siger:

    I’d pay for a plugin if it was developed well with good functionality and was undergoing ongoing development.

    $25/Site, $100/10 Sites, $299/Unlimited Sites? Just to throw a few numbers around.

    Greg

  32. Uwe siger:

    Would be ok for me, too.
    But Hendrik has to think over that for a pro version there’s no donation.
    Companies need to get a receipt πŸ˜‰

  33. Henrik Schack siger:

    I think I would like to keep things free, actually I’m not sure I’ve ever gotten a donation πŸ™‚
    But thanks Uwe & Greg, I have something to consider regarding functionality now.

    Best regards
    Henrik Schack

  34. oHg5SJYRHA0 siger:

    I can’t believe how easy that was!.. thank you

  35. new siger:

    I want and it not an option is used just the OTP for authentication.

  36. Rogier siger:

    Its not working for my website…
    I have no idea what to do about the recommended “PHP installation must have the Hash and Curl libs enabled” feature. I am using a modern “Woo” theme.

  37. Rogier siger:

    Hi Henrik,
    I am still at a loss why the Yubikey doesn’t work. I even tried a new site with a plain WP Twenty Eleven template. Installed your plugin. Went over to Yubikey and obtained the API. It came back with a 4 digit and a long number below.
    On the login screen in WP I entered the static first 12 digits by pressing the key button.
    Later I tried by adding the API key ? number to these 12 digits. But that did not work either.

    Please help πŸ™‚

  38. Bryon siger:

    I have the plugin set up and working but only for one key, I would like to add my second key in as a backup. but in my wordpress install under “Yubikey Plugin Options” I just have the “Yubico API ID” and “Yubico API key” How do I add in mulitipule yubikeys?

  39. St. Brendan siger:

    I’m just curious.. I installed Yubikey-Plugin, and it did indeed add the yubikey box and does work when I enter in my password and OTP. However, I also seem to be able to log in with just my Username/Password. Is this intentional? I though the point of having the plugin would be to prevent logging in without two-factor? Thank you for clarifying, and providing this plugin πŸ™‚

    • Henrik Schack siger:

      Not really sure how you make the plugin behave like that ?

      • Tom siger:

        It is because he did not enable the KEY for his user profile.

        He just enable the API and he thinks that operation binds the key to his account.

        Brendan, go in your user profile and add the Yubikey to your user

        right now it is not working in your configuration

        • St. Brendan siger:

          Tom, you are absolutely right. That was the problem. It is now successfully working with my WordPress install. Thank you Henrik for such a great plugin, and thank you Tom for clarifying the proper configuration of the plugin.

  40. Scott siger:

    I installed your plugin and setup everything up correctly. However I have several people who also have keys and when I enable yubikey for their users they can not seem to login no matter what I try. Seem the password is not correct. I have gone as far as adding their KEY to my profile and when I use their keys everything works for me.

    Does your plugin only support a single user?

    • Uwe siger:

      I can confirm that the plugin works for several users with different Yubikeys.
      Can you check the logfiles? Have you checked how your users made it? Did they enter a password AND the Yubikey?

  41. Craig Bowers siger:

    I wonder if Uwe’s issue is that he’s installed the plugin and has it enabled for all existing users (whose yubikey fields are blank because the account was created before the Yubikey plugin existed).

    Thus those users won’t be able to login to add their Yubikey.

    Uwe, your fix would be to disable the Yubikey setting in their accounts, but direct them to login and turn it back on, while adding their Yubikeys to the profile settings.
    The Yubikey plugin seems more Self-serve/Configure than Administrator configure.

    Henrik:
    It might be an approach to check if the Yubikey is enabled on an account with empty Yubikey fields. If so prompt them to input their key to update their profile, or send them to update their profile to add keys, or to disable the Yubikey setting on their account.

    As a follow on, it would be very nice if those Yubikey fields could be seen in the account profile by WordPress administrators. I know in our case I’m provisioning accounts in WordPress on behalf of internal users. It would be nice if I could add the Yubikey I’m about to assign them to their WordPress account, without me having to login in as each user to see and set those fields.

    • Uwe siger:

      You misunderstand who’s got the problem.
      Not me but Scott πŸ˜‰
      ok I misunderstood that Scott enabled Yubikey for some users without entering a key – that’s no good idea.
      The ability to change the Yubikey settings by the administrator would be a good thing. I have the same problem when setting up accounts for our internal users.

  42. Tom siger:

    Hello,

    Great plugin, but is there a way to ENFORCE wp-users to USE the Yubikey? That would be a great option!

    thanks!

  43. Jess siger:

    Hello,

    I really like the plugin, thanks for your work on this.

    One thing I would like to see is the “tab order” on the login page working correctly. The OTP field is one of the last fields to come up in the tab order, though I would expect it to be in this order: Username, Password, YubiKey OTP. I’ve only tried it with Chrome, so it may be my issue, just thought I would point it out.

    For anyone asking if there is a way to enforce users to use the YubiKey, you have to set YubiKey authentication in their profile, along with the key ID.

    Cheers,
    Jess

  44. SKN siger:

    Is there any reason why you are not using SSL to connect to the Yubico API server?

    $url=”http://api.yubico.com/wsapi/verify?id=”.$yubico_api_id.”&otp=”.$otp;

    I quickly tested by changing to

    $url=”https://api.yubico.com/wsapi/verify?id=”.$yubico_api_id.”&otp=”.$otp;

    and it seems to work.

    • Pete S. siger:

      HTTPS doesn’t really provide any particularly useful function in the case of this plugin: none of the information being submitted is secret, and the response from the YubicCloud server can be validated by the WordPress plugin using HMAC-SHA1 so bad guys can’t spoof being YubiCloud.

      Using HTTPS incurs a bit of a performance penalty (particularly because the YubiCloud service uses perfect forward secrecy when setting up HTTPS connections, which normally is a good thing!) as a new secure connection needs to be negotiated for each authentication query. In addition, not all web server installations come with the necessary CA certificates bundle for curl; without the correct root certificate a server will be unable to verify the connection to the YubiCloud and would likely result in cryptic (no pun intended) and hard-to-diagnose error messages.

      In short: HTTPS is overkill when the data to be exchanged is not secret and can be verified using HMAC-SHA1. Assuming you have the right CA certs on your web server and the performance penalty isn’t really an issue then wouldn’t hurt to enable it, but it doesn’t really offer any real benefit in this specific situation.

    • Pete S. siger:

      HTTPS doesn’t really provide any particularly useful function in the case of this plugin: none of the information being submitted is secret, and the response from the YubicCloud server can be validated by the WordPress plugin using HMAC-SHA1 so bad guys can’t spoof being YubiCloud.

      Using HTTPS incurs a bit of a performance penalty (particularly because the YubiCloud service uses perfect forward secrecy when setting up HTTPS connections, which normally is a good thing!) as a new secure connection needs to be negotiated for each authentication query. In addition, not all web server installations come with the necessary CA certificates bundle for curl; without the correct root certificate a server will be unable to verify the connection to the YubiCloud and would likely result in cryptic (no pun intended) and hard-to-diagnose error messages.

      In short: HTTPS is overkill when the data to be exchanged is not secret and can be verified using HMAC-SHA1. Assuming you have the right CA certs on your web server and the performance penalty isn’t really an issue then wouldn’t hurt to enable it, but it doesn’t really offer any real benefit in this specific situation.

      • Pete S. siger:

        Ack! My apologies for the double-post. Please feel free to delete the duplicate message and this comment.

  45. Ashish siger:

    I am very new to Yubikey- first time user. In order to make my wordpress login more secure, I downloaded Yubico plugin by Henrik Schack. Configured it by placing my client ID and secret key in the Yubico API ID and Yubico API Key respectively. Also, put in first 12 characters in Key ID 1 of the plugin. After that, my wordpress login screen shows the Yubikey OTP field. But when I enter my username, password and Yubikey OTP, it keep getting the error message that my password is wrong! Now I don’t have access to my wordpress site! Please help.

  46. You are using has_cap() in your code.

    This has been deprecated and is generating error messages in the log files.

  47. Hi! First of al thanx a million for the App. Pitty I can’t find the Options page, as mentioned here http://henrik.schack.dk/wp-content/uploads/2008/07/yubikey-plugin-options.jpg

    I entered the first 12 characters in ‘users’, but from there on I’m stuck.
    Running WP 3.6.1 btw

    Again, thanks!!

  48. sven siger:

    now if only wordpress.com proper would integrat this to the default public offering I could be happier

  49. marijn siger:

    Is it possible to, as site administrator, add key’s to other users? I have a site where the admin creates all the client-accounts and also wants to add keys to the client-accounts.

  50. Are you going to be able to fix this? If not I will release a patched version.

    Notice: has_cap was called with an argument that is deprecated since version 2.0! Usage of user levels by plugins and themes is deprecated. Use roles and capabilities instead. in /var/www/html/wp-includes/functions.php on line 3017

Skriv et svar

Din e-mailadresse vil ikke blive publiceret. Krævede felter er markeret med *