This is a plugin for WordPress that provides multifactor authentication with one-time passwords using the Yubikey USB token. The plugin uses the Yubico Web service API in the authentication process.
The one-time password requirement can be enabled on a per user basis.
Your PHP installation must have the Hash and Curl libs enabled, otherwise this plugin won’t work.
Howto:
- Buy a Yubikey.
- Create a Yubico ID & API Key.
- Download, install and activate my Yubikey plugin for WordPress. (goes into wp-content/plugins).
- Enter Key ID on the Users -> Profile and Personal options page.
- Enter Yubico ID & API key on the Settings -> Yubikey options page.
Id/key confused ? Well the Key ID is the first 12 chars from the output Your Yubikey generates, they don’t change, the Yubico ID and API Key is used when communicating with the Yubico authentication server. - That’s it, enjoy the looks of Your new loginbox, and try logging in.
History/Changelog
- 2011-04-14: Styling added to descriptions, thanks to Uwe Moosheimer
- 2011-04-11: German translation by Uwe Moosheimer added
- 2011-04-10: Multiple Yubikeys per account now possible, TAB index on registration page fixed.
- 2009-08-19: Russian translation contributed by M. Comfi
- 2009-02-09: Plugin has been moved to the official plugin directory
- 2008-12-13: Minor CSS change, making things look nicer with WordPress 2.7
- 2008-07-20: API ID & Key moved to a separate optionspage, thanks to Phil Massyn for idea and code.
- 2008-07-02: Plugin will now fail gracefully if Curl or Hash extensions are missing.
- 2008-06-25: Initial version
Hello,
I am Borisa Djuraskovic and I am working for Web Hosting Hub. I red your yubikey-plugin at http://henrik.schack.dk/yubikey-plugin/ and found that very interesting to be translated to Serbo-Croatian. Let me know if you are Ok with that.
Thank you very much.
Regards,
Borisa Djuraskovic
Hi,
thanks for this great plugin! Would it be possible to support WordPress multisite installations? At the moment, it is just possible to enter the api-key etc. on the individual sites, not the network admin interface.
Thank you!
Hi,
A week ago, I asked for your permission to translate your plugin. Since I didn’t get any answer from you, it would be very kind of you to consider my proposal and let me know if its alright to translate it.
Yes please, go ahead, but please don’t change any URL’s
Best regards
Henrik Schack
Hello!
I would like to fork your project and keep the development, since it works so well but hasn’t been updated in 3 years. My first idea is to improve it to support the WordPress mobile app (for now I just did a user agent check to avoid using it, but it can be improved to allow only specific devices). Do you allow me to fork it? Thanks!
Hi Kamus
I have intentionally never implemented support for the mobile app in order to keep the plugin as secure as possible.
Mobile app support involves removing the requirement for 2 factor authentication in order to publish content.
If convenience is more important than security there are other 2 factor solutions available that supports what you want.
Best regards
Henrik Schack
Hi,
The link for generating api keys seems to have changed to: https://upgrade.yubico.com/getapikey/
Regards.
Sorry,
Getting confused with an older web page that had the wrong link.
Thanks for the plugin, it’s keeping my admin account happy 🙂
Is it possible to add a custom val-server?
Hi Henrik,
I have used your plugin for a while. The problem I have discovered is when I change the yubikey (ID and key) it still does not let me to log in. I still have to use the old yubikey.
I have uninstalled and reinstalled the plugin and it looks it still remember the new ID and key, but the yubikey associated with it does not work – the old one does.
Please advise.
Best regards,
Hello,
Week ago I have asked for your permission to translate your yubikey-plugin plugin in Spanish and I didn’t hear any from you since. I hope that you will find time to provide the reply, because we believe that the translation would be of a great use.
All the best,
Andrew Kurtis
WebHostingHub
andrewk@webhostinghub.com
Hi
Sure you can translate it.
But please don’t replace any of my URL’s with your own
Best regards
Henrik Schack
Dear sir,
I’ve used your plugin for quite some months.
Today, I’ve played with the Yubico personalization tool and generated a new configuration for Yubico OTP.
After doing this and re-configuring your plugin, I’m not able to login to my WordPress blog anymore.
I guess something went wrong and some old information is still kept in WordPress’s databases.
I’ve uploaded the new config to Yubico after reconfiguring the Yubikey and also generated a new app key.
I’ve tried running:
DELETE FROM wp_usermeta WHERE user_id= AND meta_key LIKE ‘yubikey%’;
but it still doesn’t work.
Any help here would be highly appreciated.
Hello Mr. Rachita
If you have overwritten the original configuration on your Yubikey I don’t think you’ll be able to use it with my plugin anymore.
But you can get access to your blog by simply renaming the yubikey plugin directory
Best regards
Henrik Schack
Hello Mr. Schack,
Thanks a lot for your quick reply.
Best regards,
Andrei Rachita
Hello,
I use your plugin with wordpress 4.1. I am able to create a key and ID and I activated the plugin in WordPress.
The problem is that for unknown reasons I am still able to login to wordpress (by only using username and password without the OTP).
I would be really happy if you have any idea.
BR Marc
Hi Marc
Hmm strange… 2 questions:
1) Are you sure you’re trying to login with the useraccount you enabled it on ? (Sorry if you find this a very stupid question .. but it has happened to others)
2) Are you using any other security related plugins ?
Best regards
Henrik Schack
Hello Henrik,
thank you very very much for your feedback.
About your questions:
(1) I am the only wordpress user on the system but I forgot to active it for this single user.
After I activated it, all worked perfect. Thank you very much.
BR Marcus
Hello Henrik,
I can’t authenticate with Version 4.3.1 from wordpress.
The API Call was successfully, but the yubikey_check_otp function doesn’t work somehow.
I tried to debug it:
if ($yubikeyserver==’yubico’) {
// Does keyid match ?
if (strtoupper($yubikey_key_id)!=strtoupper($keyid) && strtoupper($yubikey_key_id2)!=strtoupper($keyid) && strtoupper($yubikey_key_id3)!=strtoupper($keyid)) {
return false;
}
// is OTP valid ?
if (yubikey_verify_otp($otp,$yubico_api_id,$yubico_api_key)) {
if ($user) {
shell_exec(“echo user_is_set >> /tmp/foobar.txt”);
}
return $user;
} elseif ($yubico_api_key2 !=” && yubikey_verify_otp($otp,$yubico_api_id,$yubico_api_key2)) {
shell_exec(“echo 1 >> /tmp/foobar.txt”);
return $user;
} elseif ($yubico_api_key3 !=” && yubikey_verify_otp($otp,$yubico_api_id,$yubico_api_key3)) {
shell_exec(“echo 2 >> /tmp/foobar.txt”);
return $user;
} else {
shell_exec(“echo 3 >> /tmp/foobar.txt”);
return false;
}
}
return $user;
cat /tmp/foobar.txt
user_is_set
3
I don’t get it 🙁
Another question would why I can enable the yubico server just in one profile only?
Cheers
Björn
I’m also having problems with the plugin authenticating my key now. Any news on this?
Yubikey-plugin doesn’t seems to be compatible with WordPress installations using Bedrock’s https://roots.io/bedrock/ bcrypt-password storage.
I recently tried to use it in a bedrock-wordpress-installation and got locked out after activating the yubikey inside the plugin
I am logging into my WordPress site from my iPad for the first time. There is no USB slot so I cannot use my yubikey for authentication. If I leave the yubikey field blank, it will not allow me to proceed.
How can I get past this??
Hi Henrik,
it seems the plugin will stop working soon, Details see here: https://status.yubico.com/2018/11/26/deprecating-yubicloud-v1-protocol-plain-text-requests-and-old-tls-versions/
Cheers,
Max
Fixed it with the following modifikation …
function yubikey_verify_otp($otp,$yubico_api_id,$yubico_api_key){
//Pure PHP Yubicloud class 4.3.2.1 from https://developer.sysco.ch/php/
require_once(‘yubicloud.class.php’);
$yubicloud = new Yubicloud($yubico_api_id, $yubico_api_key);
$result = $yubicloud->checkOnYubiCloud($otp);
if($result==”OK”)
{
return true;
}
else
{
return false;
}
/*
$url=”http://api.yubico.com/wsapi/verify?id=”.$yubico_api_id.”&otp=”.$otp;