OTP and Password Authentication – WordPress Plugin

OTP and Password Authentication – WordPress Plugin

OTP and Password Authentication is our WordPress plugin that enables you to use one-time passwords to access your WordPress site. It supports a number of free smart phone apps (Google Authenticator, McAfee Pledge, DS3 OATH, AuthWay Token, HDE OTP, and so on) as well as some physical devices.

The Problem

Most WordPress sites are setup so that one can login from anywhere at anytime. This creates a great opportunity for hackers to guess your password. With your password they’ll take over your blog and fill it with spam messages and articles. See our blog post about the passwords used to attempt access to our, almost unknown, WordPress site.

Our Solution

Our solution comprises two elements:

  1. Something better than passwords that you have to remember
  2. Tools that inform you when someone attacks your website.

S-CRIB OTP Authentication allows using one-time passwords. These are passwords that change each time you login. If someone steals your password, it will not work when he/she will try to use it. At the moment, the plugin implements counter-based algorithm (OATH HOTP only) but time-based OTPs can be added if you ask for them.

We have also built a strong system for alerting users when someone tries to hack into their website, we will add link to this system in the next version of the plugin.

How does OTP help?

One time passwords (OTP) replace static passwords that do not change with codes that change every time. When you login with OTPs, you may feel much safer when using insecure networks, internet cafes, and so on. If some listens to and records your password, they will not be able use it again, as it is valid only for one login.

Weakness of OTP

OTP codes are computed from a secret shared between your authentication device (it can be a hardware dongle like our Password S-CRIB or an application (like Google Authenticator).

This means that the secret must be stored somewhere in your WordPress system. We encrypt these secrets but the key is again stored somewhere there. A better option is to use highly secure authentication system that would store these secrets so that they are not available to whoever gains access to your WordPress.

We have been building a system that can provide this secure storage and we will introduce it within a few months (in Q3 2013). Hopefully using one of Hardware security modules (like Safenet Luna SA or Utimaco) to protect all your secrets.

Plugin Specification

  • Supported standards: OATH HOTP (RFC 4226) and OATH TOTP (RFC 6238), OTP lengths 6, 7, and 8.
  • Secret length: up to 384 bits.
  • Secret protection: AES256, unique random key stored in the WordPress instance.
  • Lockout policy: 3-5 failed logons – 1 minute back-off, 6-10 failed logons – increasing back-off period 10, 20, 30, 40, 50 minutes, more than 10 failed logons block the OTP. Does not work as it locks everyone out very quickly.
  • Security policy 1: an additional OTP code required after 5 unsuccessful logins (6 digit OTPs) or after 10 unsuccessful logins (8 digit OTPs).
  • Security policy 2: passwords shorter than 8 characters must be typed twice (it should annoy users so that they would start using better passwords at the very least).
  • Standard password authentication – preserved, if you want to disable it, just set your static password to something long, random and unpredictable.

How Much Does It Cost?

It is free. The only cost is if you decide to use a hardware key – Password S-CRIB.

How To

Firstly you have to install the plugin. This should be a straightforward plugin installation that shouldn’t take more than few minutes (it is actually about three clicks once you have found the plugin).

Secondly you need something that will compute OTP codes/passwords for you.

  • We sell a hardware dongle (Password S-CRIB) if you like a key in your pocket.
  • Just download an app for your smart phone – the plugin currently supports Google Authenticator and that is what we tested the plugin against. You may find a number of other apps for smart phones, most of them are free.

Then you need to setup your account for OTP. It is really easy for both options we mention here:

  • Log in to your account.
  • Open your profile – select Edit My Profile in the top right corner after hovering on your name with mouse.
  • Find the S-CRIB OTP Authentication section on the page.
  • Password S-CRIB
    • Password S-CRIB – set cursor to the box for a new secret.
    • Press and hold the Green and one of Black buttons.
    • Press the Green button again.
    • Set the OTP length to 8.
    • Set cursor to the First OTP text box and press the Green button twice.
  • Google Authenticator
    • Open the Google Authenticator app on your mobile phone.
    • Tap on the Plus sign at the bottom.
    • Tap on “Scan Barcode”.
    • Point camera on the barcode and wait till it is accepted.
    • Set the length of OTP to 6.
    • Type the first OTP code – it is shown by the Google Authenticator app.
  • Set your PIN – this you have to remember and type it each time you want to login.
  • Submit the page.

If everything went alright, you can see the date of OTP registration set to the current date and time.