Friday, November 24, 2017

UNLOQ Two Factor Authentication WordPress Plugin

UNLOQ two factor authentication through push notifications

A website's login page is like the door to your house: you don't think it will actually be cracked, so you go with the average protection. That is, until one day you regret your decision. You can add more locks on your doors, and you can also add more verification layers to your authentication, hence two factor authentication, or 2FA.

WordPress is the most popular publishing platform, being used by bloggers, small and large businesses alike. Its popularity is partially given by its flexibility, allowing the use of third-party plugins and themes which provide infinite website possibilities. All is great up to this point, but this enormous flexibility also brings along huge vulnerabilities.

As I was mentioning the login page, that is the first gate to hacking a website. The traditional way of doing it is through passwords, but they have proven to be extremely weak and defenceless in the face of brute-force attacks, keylogging and phishing.

Password reuse is an "internal" vulnerability, as users tend to recycle passwords and use them for more than one online account (if you're curious to see if your password was hacked, you can check haveibeenpwned.com).

Taking all these vulnerabilities into account, passwords are no longer recommended for safeguarding accounts and data, being replaced by two factor authentication (2FA) or multi-factor authentication (MFA).

These authentication mechanisms add a second or more layers of security, requiring the person attempting to login to confirm his identity with more than just a simple password.

Two factor authentication adoption by the general public is relatively slow, mostly caused by the perception that it takes more time and is difficult to use. This is why a smooth user experience is so important in eliminating reluctance to new technologies, and helping users see the global advantage of a more secure authentication mechanism.

Two factor authentication for WordPress

With user convenience in mind, the guys at UNLOQ have created an updated, more user-friendly version of their WordPress plugin.Version 2.x of the two factor authentication plugin version brings new security features, along with full login page customisation options, in a natural user experience.The greatest advantages that the plugin brings are:

  • Fast and easy to install.
  • Flexibility in setting an authentication mechanism, as login can be performed exclusively through their widget, use it as a second factor, or if it is the case, using passwords.
  • The ability to disable the default WordPress login URL altogether, or use 2 different login paths: one using the plugin, and the other one using the WP classical login page using username & password.
  • Full login page customisation, allowing you to set your brand's colours and images and making other page customisation plugins obsolete.
  • How to add the UNLOQ 2FA plugin to WordPress

    The version 2.x of the two factor authentication plugin is a major upgrade from the previous one, 1.x, allowing anybody to install and set it up in under 1 minute. In addition to this, everything is done from within the plugin, without requiring users to leave the WordPress dashboard to create an account and configure it.

    UNLOQ WorfPress Plugin Landing Page

    Installing and setting up the plugin

    Installation requires you to be the admin of that WP website, and be logged in as such. After searching for the plugin in the database, installing and activating it, you will be asked to insert your e-mail address. Keep in mind that you need to insert your admin e-mail address in order for the installation to be successful.

    After inserting your admin e-mail address, you'll receive an activation code via e-mail, which you will need to c/p at the next step.

    unloq verification code

    That's pretty much it. Installation is extremely simple for this plugin.

    Here's a video with the installation process:

    Authentication settings

    To set up the two factor authentication (2FA) flow, you need to go to the Settings tab. You can also set custom messages for the push notification and login request:

    UNLOQ plugin authentication settings

    A cool feature is that you can disable the default WordPress authentication URL (wp-admin), as it is insecure and doesn't do anyone a favour. I'll just keep the UNLOQ login URL (which can also be customised).

    UNLOQ plugin authentication settings login page< /p>

    I'm going with 2fa all the way and just leave the plugin to handle the whole login mechanism. I have selected all the 3 options that the plugin has: push notifications, TOTP and email:

    UNLOQ plugin authentication settings authentication type

    Customisation

    In the customise tab of the plugin, you can change the colours for the login widget, push notification buttons as well as the application colours. Also, you can upload custom logos and background images that will be displayed on the login page and in the mobile app:

    UNLOQ plugin login page customisation

    I tested to see how it works with a custom background, so this is how it would look like:

    UNLOQ custom login page

    Logging in with two factor authentication

    In order to use the 2FA plugin you need to download the authentication mobile app, which you can protect with a PIN, PIN or Fingerprint or PIN and Fingerprint. Basically, before you can approve or deny a login request, you need to "login" in the app first:

    UNLOQ mobile app fingerprint

    For my site I have chosen to login with push notifications, so to login I need to Confirm the request I get on my phone:

    UNLOQ mobile app push notification

    It is not very often when a security plugin for WordPress makes users' experience easier, and the this 2fa plugin has achieved that through all its security, customisation and usability features. This plugin combines into one, features that otherwise would require the installation of at least 3 different plugins. It is definitely worth testing by anyone looking to secure their or their client's WP site.

    The plugin is a keeper, and the team at UNLOQ have done a good job in upgrading their WordPress plugin. There's also a detailed documentation of the plugin available here.

    About Elena Leu

    Elena is a digital marketer for UNLOQ.io. She has been working in online marketing since 2013, focusing on developing brand awareness, blogging and growth hacking, with a soft spot for analytics.


    Source: UNLOQ Two Factor Authentication WordPress Plugin

    No comments:

    Post a Comment