One of the risks in running a website using any content management system, is that it makes your website easier for the attacker to deface if they gain access to your administrative CMS login. People often pick easy to guess passwords, or use the standard default usernames (such as admin), or distribute admin access to many members of their organization to avoid having to deal with limited access.
There are many common solutions for this: changing the admin username, hiding login URL’s, and picking complicated passwords. Danish developer Henrik Schack has authored several security plugins for WordPress supporting various two-factor authentication systems, and has recently released Google Authenticator for WordPress to support Google’s two-factor one-time-pad system.
What is Two Factor Authentication?
Two-factor authentication requires the use of two different systems to prove the user’s identity. Passwords represent the first factor: “what you know”. Biometrics and tokens represent the other factors of “who you are”, and “what you have”. You can combine these systems with your username/password to give two or three levels of verification of your identity. Examples of tokens would be mag stripe cards, smart cards, tokens, and digital certificates. These tokens are expensive to buy and deploy, and subject to damage and loss. Biometrics such as fingerprints, retina scans are even more difficult to use. Installing biometrics on many computers to support multiple users further drives up cost.
Mr. Schack’s plugin uses Google’s virtual token software called “Google Authenticator” to give your Blackberry, Android or iOS device such as an iPhone, iPod Touch or iPad the ability to act as a virtual token to secure your WordPress login.
Virtual One Time Pad Tokens
The virtual one-time pad tokens offer a cost-effective way to use your existing mobile device as the “what you have” factor. The screen on the device displays a six digit code number that changes every minute. By combining this time based code with your username and password, you benefit from two factor authentication. Someone who gets your login will no longer be able to use it, and someone who has your device can’t use it without your username and password. PayPal and eBay use similar systems from Verisign to secure their merchant’s accounts. The Google Authenticator is a “virtual” token, because unlike the PayPal token it consists completely of software using a device you already have and does not force you to buy and carry and extra key.
The plugin is easy to install, but requires some specific cryptographic functions from your PHP configuration. Specifically the system uses both the SHA-1 and SHA-256 cryptographic hashes. SHA-1 and SHA-256 are both part of the US Federal Information Processing Standard (FIPS) developed by the NSA.. If you’re not sure whether your host provides this functionality, you can check your PHP runtime by using the phpinfo() function to display which hashing engines are present. The plugin will not install without both hash functions available.
If your PHP does not include these two functions, please refer to your system administrator or see the Mhash section of the PHP manual for configuration and installation details.
You do not need a Gmail or Google account to use this system. Google wrote the software for your device, but it does not communicate with or use any Google resources.
After you install and activate the plugin, it will add a new section to your user profile, allowing you to turn the feature on or off on a user by user basis, and help you configure it on your phone.
The description is the name that the entry will show up as on your mobile device, so be sure to use something descriptive but short enough to fit comfortably on your mobile’s display. The Google Authenticator software will let you easily name this once you set it up, so if you make a mistake it’s not a problem. Generally though if you have more than one of these you want to name them differently.
Once you enter the description and click the active check box, the panel will display a secret and a QR code.
Upon logging in, your WordPress login screen will display a new field.
You can find installation instructions here. Click the name of your device below to install the software on your phone or tablet.
If your device does not have a camera (iPad for example), you can manually enter the secret into your mobile as a “time based” key. Do not share this secret with anyone. If you have more than one device to set up, you can enter the same secret in multiple devices and use them interchangeably.
For those with a camera, it’s even simpler. You can just scan the QR code into any device you want to use with its camera, and it will enter the code and the descriptive name for you.
Developers can find reference source code for the project as well as links to support for PAM modules and other systems. The project is under the Apache 2.0 license.
I’m Locked Out!
If for some reason you end up locked out of your WordPress account, don’t panic — you can easily regain access. FTP or SSH into your server and remove the plugin named “google-authenticator” from your plugins directory. This will disable the feature and let you login again with just your username and password.
A Note on Time
If you properly configure your WordPress plugin, and your device and still cannot login, then you may be suffering from a time keeping issue.
The Google Authenticator system relies on accurate time keeping between both the server, and the device you carry. PC clocks suffer from what’s called “drift” and will slowly become more and more inaccurate unless they are re-calibrated periodically with a reliable time source such as an atomic click. Computers on a network can be configured to use ntp to synchronize their internal clocks. Please speak with your network administrator to ensure ntp is setup properly on your server to keep it’s clock accurate. Most mobile devices will also synchronize their time from the phone network automatically.
Wifi iPads and iPods unfortunately must be set by hand, as they do not have a mobile network to sync to. Unfortunately Apple does not permit their clocks to be sync’d either by iTunes or by software on the device for security reasons.
Still struggling or have questions? You can contact me at firstname.lastname@example.org