Yubikey plugin for WordPress

Yubikey This is a plugin for WordPress that provides multifactor authentication with one-time passwords using the Yubikey USB token. The plugin uses the Yubico Web service API in the authentication process.
The one-time password requirement can be enabled on a per user basis.
Your PHP installation must have the Hash and Curl libs enabled, otherwise this plugin won’t work.

Howto:

  1. Buy a Yubikey.
  2. Create a Yubico ID & API Key.
  3. Download, install and activate my Yubikey plugin for WordPress. (goes into wp-content/plugins).
  4. Enter Key ID on the Users -> Profile and Personal options page.
  5. Enter Yubico ID & API key on the Settings -> Yubikey options page.
    Id/key confused ? Well the Key ID is the first 12 chars from the output Your Yubikey generates, they don’t change, the Yubico ID and API Key is used when communicating with the Yubico authentication server.
  6. That’s it, enjoy the looks of Your new loginbox, and try logging in.

History/Changelog

  • 2011-04-14: Styling added to descriptions, thanks to Uwe Moosheimer
  • 2011-04-11: German translation by Uwe Moosheimer added
  • 2011-04-10: Multiple Yubikeys per account now possible, TAB index on registration page fixed.
  • 2009-08-19: Russian translation contributed by M. Comfi
  • 2009-02-09: Plugin has been moved to the official plugin directory
  • 2008-12-13: Minor CSS change, making things look nicer with WordPress 2.7
  • 2008-07-20: API ID & Key moved to a separate optionspage, thanks to Phil Massyn for idea and code.
  • 2008-07-02: Plugin will now fail gracefully if Curl or Hash extensions are missing.
  • 2008-06-25: Initial version

96 kommentarer til “Yubikey plugin for WordPress

  1. borisa siger:
    30. januar 2014 kl. 10:45

    Hello,
    I am Borisa Djuraskovic and I am working for Web Hosting Hub. I red your yubikey-plugin at http://henrik.schack.dk/yubikey-plugin/ and found that very interesting to be translated to Serbo-Croatian. Let me know if you are Ok with that.
    Thank you very much.
    Regards,
    Borisa Djuraskovic

    Svar
  2. Stefan Lehrer siger:
    2. februar 2014 kl. 12:04

    Hi,

    thanks for this great plugin! Would it be possible to support WordPress multisite installations? At the moment, it is just possible to enter the api-key etc. on the individual sites, not the network admin interface.

    Thank you!

    Svar
  3. borisa siger:
    7. februar 2014 kl. 12:14

    Hi,
    A week ago, I asked for your permission to translate your plugin. Since I didn’t get any answer from you, it would be very kind of you to consider my proposal and let me know if its alright to translate it.

    Svar
  4. Kamus Hadenes siger:
    10. marts 2014 kl. 18:10

    Hello!

    I would like to fork your project and keep the development, since it works so well but hasn’t been updated in 3 years. My first idea is to improve it to support the WordPress mobile app (for now I just did a user agent check to avoid using it, but it can be improved to allow only specific devices). Do you allow me to fork it? Thanks!

    Svar
    • Henrik Schack siger:
      10. marts 2014 kl. 18:35

      Hi Kamus
      I have intentionally never implemented support for the mobile app in order to keep the plugin as secure as possible.
      Mobile app support involves removing the requirement for 2 factor authentication in order to publish content.

      If convenience is more important than security there are other 2 factor solutions available that supports what you want.

      Best regards
      Henrik Schack

      Svar
  5. Martin Boyle siger:
    15. april 2014 kl. 19:00

    Hi,

    The link for generating api keys seems to have changed to: https://upgrade.yubico.com/getapikey/

    Regards.

    Svar
    • Martin Boyle siger:
      15. april 2014 kl. 19:03

      Sorry,

      Getting confused with an older web page that had the wrong link.

      Thanks for the plugin, it’s keeping my admin account happy 🙂

      Svar
  6. Anhur siger:
    26. juni 2014 kl. 09:55

    Is it possible to add a custom val-server?

    Svar
  7. Michael siger:
    9. august 2014 kl. 16:27

    Hi Henrik,
    I have used your plugin for a while. The problem I have discovered is when I change the yubikey (ID and key) it still does not let me to log in. I still have to use the old yubikey.
    I have uninstalled and reinstalled the plugin and it looks it still remember the new ID and key, but the yubikey associated with it does not work – the old one does.
    Please advise.
    Best regards,

    Svar
  8. andrew siger:
    17. december 2014 kl. 13:44

    Hello,

    Week ago I have asked for your permission to translate your yubikey-plugin plugin in Spanish and I didn’t hear any from you since. I hope that you will find time to provide the reply, because we believe that the translation would be of a great use.

    All the best,

    Andrew Kurtis
    WebHostingHub
    andrewk@webhostinghub.com

    Svar
  9. Andrei Rachita siger:
    3. januar 2015 kl. 01:49

    Dear sir,

    I’ve used your plugin for quite some months.
    Today, I’ve played with the Yubico personalization tool and generated a new configuration for Yubico OTP.
    After doing this and re-configuring your plugin, I’m not able to login to my WordPress blog anymore.
    I guess something went wrong and some old information is still kept in WordPress’s databases.
    I’ve uploaded the new config to Yubico after reconfiguring the Yubikey and also generated a new app key.

    I’ve tried running:
    DELETE FROM wp_usermeta WHERE user_id= AND meta_key LIKE ‘yubikey%’;

    but it still doesn’t work.

    Any help here would be highly appreciated.

    Svar
    • Henrik Schack siger:
      3. januar 2015 kl. 07:00

      Hello Mr. Rachita
      If you have overwritten the original configuration on your Yubikey I don’t think you’ll be able to use it with my plugin anymore.
      But you can get access to your blog by simply renaming the yubikey plugin directory
      Best regards
      Henrik Schack

      Svar
  10. Marc Freimann siger:
    6. januar 2015 kl. 09:58

    Hello,

    I use your plugin with wordpress 4.1. I am able to create a key and ID and I activated the plugin in WordPress.
    The problem is that for unknown reasons I am still able to login to wordpress (by only using username and password without the OTP).

    I would be really happy if you have any idea.

    BR Marc

    Svar
    • Henrik Schack siger:
      6. januar 2015 kl. 19:23

      Hi Marc
      Hmm strange… 2 questions:

      1) Are you sure you’re trying to login with the useraccount you enabled it on ? (Sorry if you find this a very stupid question .. but it has happened to others)

      2) Are you using any other security related plugins ?

      Best regards
      Henrik Schack

      Svar
      • Marc Freimann siger:
        7. januar 2015 kl. 21:49

        Hello Henrik,

        thank you very very much for your feedback.

        About your questions:

        (1) I am the only wordpress user on the system but I forgot to active it for this single user.
        After I activated it, all worked perfect. Thank you very much.

        BR Marcus

        Svar
  11. Björn siger:
    19. november 2015 kl. 15:50

    Hello Henrik,

    I can’t authenticate with Version 4.3.1 from wordpress.

    The API Call was successfully, but the yubikey_check_otp function doesn’t work somehow.

    I tried to debug it:

    if ($yubikeyserver==’yubico’) {
    // Does keyid match ?
    if (strtoupper($yubikey_key_id)!=strtoupper($keyid) && strtoupper($yubikey_key_id2)!=strtoupper($keyid) && strtoupper($yubikey_key_id3)!=strtoupper($keyid)) {
    return false;
    }
    // is OTP valid ?
    if (yubikey_verify_otp($otp,$yubico_api_id,$yubico_api_key)) {
    if ($user) {
    shell_exec(“echo user_is_set >> /tmp/foobar.txt”);
    }
    return $user;
    } elseif ($yubico_api_key2 !=” && yubikey_verify_otp($otp,$yubico_api_id,$yubico_api_key2)) {
    shell_exec(“echo 1 >> /tmp/foobar.txt”);
    return $user;
    } elseif ($yubico_api_key3 !=” && yubikey_verify_otp($otp,$yubico_api_id,$yubico_api_key3)) {
    shell_exec(“echo 2 >> /tmp/foobar.txt”);
    return $user;
    } else {
    shell_exec(“echo 3 >> /tmp/foobar.txt”);
    return false;
    }
    }
    return $user;

    cat /tmp/foobar.txt
    user_is_set
    3

    I don’t get it 🙁

    Another question would why I can enable the yubico server just in one profile only?

    Cheers
    Björn

    Svar
  12. Konstantin siger:
    15. maj 2017 kl. 18:07

    Yubikey-plugin doesn’t seems to be compatible with WordPress installations using Bedrock’s https://roots.io/bedrock/ bcrypt-password storage.

    I recently tried to use it in a bedrock-wordpress-installation and got locked out after activating the yubikey inside the plugin

    Svar
  13. GERARD BENNET siger:
    7. juni 2017 kl. 10:46

    I am logging into my WordPress site from my iPad for the first time. There is no USB slot so I cannot use my yubikey for authentication. If I leave the yubikey field blank, it will not allow me to proceed.

    How can I get past this??

    Svar
  14. Max siger:
    14. december 2018 kl. 10:36

    Hi Henrik,

    it seems the plugin will stop working soon, Details see here: https://status.yubico.com/2018/11/26/deprecating-yubicloud-v1-protocol-plain-text-requests-and-old-tls-versions/

    Cheers,
    Max

    Svar
    • Max siger:
      14. december 2018 kl. 11:42

      Fixed it with the following modifikation …

      function yubikey_verify_otp($otp,$yubico_api_id,$yubico_api_key){

      //Pure PHP Yubicloud class 4.3.2.1 from https://developer.sysco.ch/php/
      require_once(‘yubicloud.class.php’);
      $yubicloud = new Yubicloud($yubico_api_id, $yubico_api_key);
      $result = $yubicloud->checkOnYubiCloud($otp);
      if($result==”OK”)
      {
      return true;
      }
      else
      {
      return false;
      }

      /*
      $url=”http://api.yubico.com/wsapi/verify?id=”.$yubico_api_id.”&otp=”.$otp;

      Svar

Skriv et svar

Din e-mailadresse vil ikke blive publiceret. Krævede felter er markeret med *