OTP and Password Authentication is our WordPress plugin that enables you to use one-time passwords to access your WordPress site. It supports a number of free smart phone apps (Google Authenticator, McAfee Pledge, DS3 OATH, AuthWay Token, HDE OTP, and so on) as well as some physical devices.
Most WordPress sites are setup so that one can login from anywhere at anytime. This creates a great opportunity for hackers to guess your password. With your password they’ll take over your blog and fill it with spam messages and articles. See our blog post about the passwords used to attempt access to our, almost unknown, WordPress site.
Our solution comprises two elements:
S-CRIB OTP Authentication allows using one-time passwords. These are passwords that change each time you login. If someone steals your password, it will not work when he/she will try to use it. At the moment, the plugin implements counter-based algorithm (OATH HOTP only) but time-based OTPs can be added if you ask for them.
We have also built a strong system for alerting users when someone tries to hack into their website, we will add link to this system in the next version of the plugin.
One time passwords (OTP) replace static passwords that do not change with codes that change every time. When you login with OTPs, you may feel much safer when using insecure networks, internet cafes, and so on. If some listens to and records your password, they will not be able use it again, as it is valid only for one login.
This means that the secret must be stored somewhere in your WordPress system. We encrypt these secrets but the key is again stored somewhere there. A better option is to use highly secure authentication system that would store these secrets so that they are not available to whoever gains access to your WordPress.
We have been building a system that can provide this secure storage and we will introduce it within a few months (in Q3 2013). Hopefully using one of Hardware security modules (like Safenet Luna SA or Utimaco) to protect all your secrets.
It is free. The only cost is if you decide to use a hardware key – Password S-CRIB.
Firstly you have to install the plugin. This should be a straightforward plugin installation that shouldn’t take more than few minutes (it is actually about three clicks once you have found the plugin).
Secondly you need something that will compute OTP codes/passwords for you.
Then you need to setup your account for OTP. It is really easy for both options we mention here:
If everything went alright, you can see the date of OTP registration set to the current date and time.