Table of Contents [TOC]
A vulnerability was discovered in the Ultimate Member WordPress plugin, which allows an attacker to gain administrative control of a website.
Passwordless authentication represents a new trend in secure authentication. Aptly named, it addresses the vulnerability of passwords that persists among users and individuals striving to enhance the security of WordPress logins. In fact, 81% of breaches occur due to weak or stolen passwords, making passwords the primary targets of cybercriminals.
Passwords are a burden on IT departments in many ways. First of all, they need to store passwords securely. Failure to do so can result in a security breach, which might have a dramatic impact on the profit, stock value, and reputation of the organization for years to come. When you are the password holder, you need to take care of them as well. This often involves dealing with password resets that invade technical support services.
So organizations have good reasons to want to get rid of passwords and switch to passwordless authentication.
While WordPress itself have a security authentication or wordpress secret keys, are the encrypted code that protects your login information. This way, attackers can’t see your passwords in plaintext even if they somehow gain access to your database.
You might also like to read – How to Password Protect A WordPress Site/Post – Easy Ways
Passwordless Authentication is defined as a method of verifying the identity of a user without the user having to provide a password also called passwordless login. It is not a product or technology per se, like two-factor authentication (2FA) or single sign-on (SSO). In fact, authentication without a password is a desired goal or effect.
The goal of doing without passwords is to offer technologies and support practical cases that reduce, or even eliminate, the use of passwords. This is an important goal, as the use of passwords presents usability challenges and well-known security risks.
For example, using facial recognition instead of a password is one way of passwordless login. Another is to use intelligent analysis of a user’s activity behavior to determine authentication criteria (i.e. adaptive MFA).
The first priority of passwordless authentication is to ensure that you maintain or strengthen the level of security by reducing or eliminating the use of passwords. Passwordless authentication relies on the ability to gather other elements of a user’s identity, such as a fingerprint or device identifier. When you have these means, you can implement passwordless authentication without compromising security.
Passwordless authentication is a type of multi-factor authentication that replaces passwords with a more secure authentication factor, such as a fingerprint or PIN. With multi-factor authentication, two or more factors are required for verification during login.
Passwordless authentication is based on the same principles as digital certificates: an encryption key pair made up of a private key and a public key. Even though both are called keys, you can think of the public key as the padlock and the private key as the actual key that unlocks the padlock. There is only one key for the padlock and one padlock for the key.
An individual who wishes to create a secure account uses a tool (a mobile app, a browser extension, etc.) to generate a public-private key pair. The private key is stored on the user’s local device and is tied to an authentication factor, such as a fingerprint, PIN, or voice recognition.
The user can only access it this way. The private key is provided to the website, application, browser, or other online systems for which the user wishes to have an account.
Authentication without a password is a guarantee of freedom and security.
The current passwordless authentication is based on the FIDO2 standard (which includes the WebAuthn and CTAP standards ). With this standard, passwordless authentication frees IT departments from the burden of securing passwords. Why? Because as a service provider, you store the public keys of individuals, which are by definition public.
As with a padlock, if a hacker obtains the public key, it is useless without the private key to open it. The private key, on the other hand, remains in the hands of the end-user or employee of an organization. In case of WordPress, if you’re using single password authentication then your wordpress website can be target of hackers.
Another advantage of passwordless authentication is that the user can choose which tool they use to create the keys and authenticate themselves. It can be a mobile app like OneLogin Protect. It can be a biometric or physical device, like YubiKey. The app or website the user authenticates to is agnostic. It doesn’t matter how to create a key pair and authenticate yourself.
Indeed, this is what authentication without a password is based on. For example, browsers that implement passwordless authentication may have downloaded JavaScript. When you visit a page that is running on your computer, this script is part of the website and does not store your personal information.
The script and the website are not secured with your private key and that is why they do not represent an advantageous attack surface for cyber crooks.
As a multi-factor authentication method, passwordless authentication will continue to evolve. Most organizations still use traditional passwords as the primary authentication method.
This is referred to as passwordless authentication when an authentication factor other than a password is used. A password is a knowledge factor, that is, it is something that you know. However, by relying solely on a knowledge factor, the problem is that it is likely to be stolen, shared, used several times, misused, or subjected to any other risk.
Ultimately, authentication without a password means no more passwords. Instead of a password, authentication relies on a factor of ownership, which is something your user has, or an inherent factor, which means your user represents, in order to verify the identity of the user with greater certainty.
You might think passwordless authentication sounds pretty cool. But you are also wondering, perhaps, if it is really necessary. In view of the risks associated with passwords, this method should be preferred by wordpress sites.
While passwords are considered a necessary evil, there are too many risks to ignore. For starters, it’s all too easy to steal and guess passwords. The Investigation Report on the 2021 Verizon Data Breach confirms: 61% of violations in 2020 were performed using unauthorized logins. Hackers use Google Dorking to find wordpress passwords by entering commands in the Google search engine.
Despite efforts to raise awareness of password security and strengthen policies, users continue to apply insufficient and risky password authentication methods. It is estimated that a user must manage an average of 200 passwords and that this number could double by 2024. Also, many passwords are weak or are reused on different sites.
In an effort to combat this trend, some organizations are requesting that passwords be more complex and changed more frequently. However, this only worsens the problem by increasing the likelihood that users will write down their passwords in black and white or use the same on multiple sites. It also comes at a cost as support services are drowning in an increasing number of password reset requests, which is a real additional burden for all those affected by this procedure.
The short answer is no. Multi-factor authentication provides a method of increasing confidence that a user is who they say they are by requesting an additional authentication factor in order to access resources.
In contrast, passwordless authentication allows access to resources through an authentication factor that is not a password. Unlike MFA, passwordless authentication can involve just one factor, for example, biometric type. If the authentication process involves more than one factor and no factor matches a password, then it is MFA without a password.
Any change often produces feelings of doubt and uncertainty. But when it comes to passwordless authentication, those concerns are irrelevant. This is because passwordless authentication allows you to replace the use and storage of passwords with more secure authentication mechanisms. It is therefore an inherently safer method than the password authentication still used by some organizations.
Building on the FID02 standard, the first open identity standard was created specifically to support passwordless authentication. The FID02 standard uses public key encryption to provide the most secure method of passwordless authentication. Credentials remain on the user’s device at all times and are never stored on a server.
In other words, they are therefore not vulnerable to phishing, password theft, and replay attacks. Passwordless authentication can also support the use of more sophisticated threat detection and risk mitigation technologies to further enhance security.
Password theft and loss have long been a security risk. By reducing the use of password-based methods, or even eliminating them altogether, you automatically reduce their value to malicious actors. This increases the level of WordPress security.
By replacing passwords with more secure authentication factors, it becomes much more difficult and costly for hackers to complete their attacks. With the addition of advanced authentication mechanisms, such as risk indicator tracking and device approval, you get more confidence that your login credentials are secure.
Read more about the wordpress security checklist, a step by step guide to strengthen the security of wordpress website.
Passwords cause usability issues that lead to inferior experiences. For example, if your customer cannot remember the password they use for your site, they will usually prefer to abandon their shopping cart rather than go through the password reset process.
Conversely, by providing customers with a passwordless authentication method, you eliminate the need to create, manage and remember (or have to reset) passwords. Your users can benefit from convenient login mechanisms such as push notifications and facial recognition to streamline their transactions.
By decreasing the use of passwords, you also decrease the need to reset passwords. This change alone can lead to a dramatic increase in productivity by reducing downtime.
With more convenient and secure authentication options, your users gain faster, easier access to resources –
Passwordless authentication eases the burden on technical support by reducing or even eliminating password reset requests and associated costs.
Passwordless authentication also helps reduce costs by replacing expensive hardware tokens and smart cards with push notifications and more cost-effective biometric authentication methods through the user’s smartphone.
To determine which authentication factors are best suited for your practical cases, you will need to know the pros and cons of each.
Knowledge factors: what you know
Possession factors: what you own
The Inherent Factors: What You Are
Considering the number of authentication options available, you might be wondering how to strike the right balance between security, usability and the cost that this represents for your use.
To get started, check out the different apps you use, determine the security needs of each, and identify which user population should be able to access them.
When you have gathered this information, you can begin to walk through application access scenarios that will allow you to easily identify the best authentication method (s) for each one.
A common practice case among employees is gradually minimizing the need for passwords based on user behavior. When the same user logs on to the same computer at around the same time each day, a typical pattern of behavior is established. If the user continues to follow this same pattern, you can reduce the authentication request with a password systematically.
For example, you could ask the user to enter their password each time they log in for the first week. If the user behavior remains constant, then you could reduce the password request to once per day for the first month. If typical behavior continues, then you might request a password only once a week from the second month.
Two common practical cases of passwordless authentication are consumer access to prepaid credit cards and access by an insurance expert to a client’s report files and history.
Gift cards are common and are worth about $ 27.5 billion spent on giving gifts during the holidays , according to the National Retail Federation. But they are equally popular with cybercriminals and other thieves. While there are many ways that malicious actors can steal and defraud gift cards, merchants logically want gift cards to be as easy to use as possible for their legitimate users, otherwise they risk losing significant revenue.
This provides an opportunity to use passwordless authentication. Since in almost all cases the customer will need to register with their email address in order to know their gift card balance, this same address could be used to send a one-time authentication code the first time they go. will access the map from a new device. You could also offer the user to trust the new device and then keep the fingerprint of that device so that they do not have to re-authenticate from it for a given period of time.
In WordPress sites, security is paramount. Using security plugins keep your WordPress secure to some extent. But you don’t want to take restrictive security measures that would prevent those who need it from being able to access the information. In this practical case, authentication could consist of sending a push notification to a phone-based authenticator app that uses facial recognition or fingerprint. It can be done with a backup factor of a passcode protected FIDO authenticator. PIN, for example, a YubiKey.
Thanks to this combination, the expert can connect under normal conditions by responding to the push notification. If they cannot receive or respond to a push notification, the expert can use the Yubikey as a fallback authentication method. Since the Yubikey is a FIDO authenticator and therefore detached from the phone or laptop, the expert can use a PIN code to unlock the authenticator and gain access. Safety is maintained and productivity is not adversely affected.
Website security is play a major role in today’s businesses. A small or a large businesses, everyone contact with their customer through websites. In 2021, Website security is a major concern of every small, medium, & large business and owners take various steps to protect it from authorized users.
Ecommerce business are more in risk because they have more customers data stored and user engage with website through the login panel. Most often user sign-in using a email id and password which is a topic of concern we discussing here. The passwordless authentication method can be a breakthrough in ecommerce security.
There are a number of steps involved in implementing passwordless authentication, each of which can provide significant improvements in usability and security. Also, a step-by-step approach to setting up passwordless authentication is often the most effective.
The process typically begins with identifying the most important business needs to be met as well as selecting the first users who can provide feedback on the early stages of deployment. The graphic presented here suggests a framework for implementing passwordless authentication, starting with centralized authentication.
Depending on your specific applications, user audience, and business needs, however, your implementation process may look different.
You can find several plugins to help you set up WordPress passwordless login.
For this, we’ll be using the Passwordless Login plugin, as it has quality ratings and receives consistent updates. Not to mention that the plugin is free – compared to most similar plugins requiring payment.
Install and activate the Passwordless Login plugin from WordPress.org.
Copy the login shortcode without a password.
Then go to Users > Login without password.
This brings you to the plugin’s only configuration page.
To move forward, copy the shortcode to your clipboard.
Create a dedicated login page.
The login plugin without a password does not replace your wp-login.PHP page. Instead, you’ll need to create a whole new page for your password-less login.
Select the Small block code to insert it on your page.
Paste the plugin settings shortcode into the block field.
add any other instructional text above or below the login form.
After that click on the Publish button.
Test your new login page
Now it is important to copy/remember this new login page URL.
All the user needs to know is their username or email address associated with the account.
The plugin displays a message instead of forcing users to enter their passwords.
It asks you to check your email, where you will find a link.
Click on the link to automatically login to the website!
It adds an extra step to check your email. However, you no longer have to remember the password!
Are you struggling to find the smartest way to secure your WordPress site without using passwords?
Here we have handpicked the best Passwordless WordPress plugins for your website.
Many of our novice users often hire developers to make minor adjustments to their websites. These developers may need access to the admin area to edit or check something.
If you trust the developer, you can create an administrator account for them and then delete it when they have done their work.
Similarly, you can add new users and authors in WordPress and then block the user without deleting their account.
However, sometimes you can forget that you have added someone with privileges to make changes to your website. This leaves your website open to potential security threats and data security issues.
With temporary logins, you can create temporary accounts that do not require a password to log in and are automatically deactivated after a specified time.
In the digital world, passwords seem to be the most popular way to improve security. With a password, you can access private data while unauthorized people cannot. Now with the aforementioned details, we understood that Passwordless is the new future and is much more secure.
Have you ever needed to create temporary accounts for WordPress that automatically expire after a certain time? Sometimes you may have to create temporary accounts to give temporary access to the administrators. We are going to show you how to create a temporary login for WordPress without passwords.
With that said, let’s see how to easily create a temporary login in WordPress that does not require passwords.
Create automatic connection links with automatic expiration for WordPress. Give them to developers when they request admin access to your site. Or an editor for a quick overview of the work done. The connection works just by opening the link, no password is needed.
Using the “Temporary Login Without Password” plugin, you can create a self-expiring account for someone and give them a special link with which they can login to your WordPress without needing a username. and a password.
You can choose the expiration date of the connection, as well as the role of the temporary account.
Really useful when you need to give admin access to a developer for help or to perform routine tasks.
This is handy when requesting temporary access permission to your admin dashboard, for example, a developer or publisher. With this plugin, you no longer need to create an account with a username and password for each request. Create auto-expiring automatic login links for WordPress. Give them to developers when they request administrative access to your website. Or an editor for a quick overview of the work done. Registration only works by opening the link, no password is required.
With the “Temporary Login Without Password” plugin, you can create a self-expiring account for someone and give them a special link they can use to log into your WordPress without needing a username. user and password.
You can choose the login expiration date and the role of the temporary account.
Very useful when you need to give a developer administrative access to get help or to perform routine tasks. A temporary user WordPress plugins can therefore not connect after your deadline.
The plugin also makes it easier for you to handle temporary connections. Just visit the Users> Temporary Logins page, and you will see the list of temporary logins that you have added to your site.
The first thing you have to do is install and activate the Temporary Login Without Password plugin. For more details, see our step-by-step guide on how to install a WordPress plugin.
Upon activation, you must visit the Users »Temporary Logins page and click the Create New button to add a new temporary login account.
This will display a form where you will need to enter the information for the temporary login you want to add.
You must first provide an email address for the user and then their first and last name.
Next, you must select a user role. Be careful when selecting a user role. If you’re not sure which user role to assign, take a look at our beginner’s guide to WordPress user roles and permissions.
Finally, you must select the expiration duration for this temporary account. This is the period after which the account will automatically expire.
Don’t forget to click the Submit button to save your changes.
You will now see a success message and a URL that anyone can use to log into the temporary account you just added. Click the Click to Copy button to copy the URL and share it with anyone you want to have access to.
The temporary account will automatically expire after the period of time you have selected.
In addition to tracking fields, e.g. user emails, last logged in, and expiry, you can choose to disable/ delete/edit/email login link/copy login link under Actions column.
The plugin also makes it easy to manage temporary logins. Just visit the Users »Temporary Logins page , and you will see the list of temporary logins you have added to your site.
For each account, you will be able to see the name and email address of the user. You will also be able to see the role assigned to them, the last login date and the time remaining until the account expires.
Below the actions column, you can expire a login before it expires, delete an account, or copy the temporary login URL.
Once a temporary account is permanently deleted, all content created by that user such as posts or pages will show the administrator account as the author.
Now let’s move on to another great plugin called Passwordless Login. Instead of using passwords, this plugin helps you give access permission to WordPress page and widget with a shortcode.
Signing in without a password allows you to require users to enter their username or email address when they attempt to access your website. After receiving an access request, the plugins will automatically create a temporary authorization which will become invalid within 10 minutes.
After installing and activating the Passwordless Login plugin, you need to go to Users > Passwordless Login, you can see the instructions on the display screen.
To create a passwordless login form in the front-end, you should add the [passwordless-login] shortcode to a page.
Once done, click Publish.
Now, when users want to access your page, they’re asked to enter their email or username.
After successfully submitting the email/username, users will receive a confirmation prompting them to check their email.
Meanwhile, an email that contains an access link expiring in 10 mins is sent.
Besides protecting pages, you can also add the shortcode to your widget in the sidebar by going to Appearance > Widgets and add the [passwordless-login] inside the content box of a Text Widget.
Once done, press Save.
Here’s a passwordless login widget in the front end.
If you have protected content and intend to bypass it without forcing users to type in a password, Passwordless Authentication works like a charm.
At the moment, there are two methods integrated in this plugin: contact forms and Google reCAPTCHA.
As such, when users want to access your protected content, they only need to fill in a contact form or pass Google reCAPTCHA.
Please note that you should have the PPWP Pro plugin to protect your content before using the Passwordless Authentication extension.
Access Protected Content by Fulfilling Contact Forms
Passwordless Authentication integrates with most of the popular contact form plugins. For example, Contact Form 7, Gravity Forms, Formidable Form, WPForms, Ninja Forms.
This will show you a form where you must enter information for the temporary entry you want to add.
The first thing we have to do is provide an email address of the user and then their first and last name.
Now, let’s say you’re using Contact Form 7.
After protecting your content with PPWP Pro and creating a contact form, go to Password Protect WordPress > Passwordless Authentication to assign the form to protected content.
Here, enable the “Protect Content using Passwordless Authentication” option.
You can choose to display the contact form either in all protected content or in specific content only.
After you save settings, the contact form will be shown on the protected pages as below.
At this point, instead of entering a password, users are asked to fulfill a form to access the secured content.
In fact, you can collect your user’s information for further needs. In some cases, it can be considered as a contribution to marketing efforts.
And, kindly note that the password form will display as usual if the contact form plugin is deactivated.
For each account, you may be able to see the name and email address of the user. You can also see the role assigned to them, the last login date, and the time left until the account expires.
In the actions column, you can expire a login before it expires, delete any account, or copy the temporary login URL.
Once a temporary account has been permanently deleted, all content created by that user, such as posts or pages, will be shown to the administrator as the account’s author.
To add an extra layer of security and prevent spam, you can install Google reCAPTCHA on your WordPress website. By using Passwordless with the Google reCAPTCHA option, you can grant access to your content to all users while keeping it protected.
Once you have completed the configuration of reCAPTCHA on WordPress, you can assign it to your protected content by navigating to PassPassword Protect WordPress > Passwordless Authentication.
To protect your content with Passwordless Authentication, enable the “Protect Content using Passwordless Authentication” option, and select Google reCAPTCHA v2 from the dropdown menu.
After you save settings, the reCAPTCHA checkbox will be shown on the protected pages as below.
Once users pass Google reCAPTCHA verification, they’ll be able to access your protected content immediately.
Are you struggling to add passwordless login form to your wordpress site. Dont worry WP Hacked Help is here for you. We have experianced developers who can do it for you. Get in touch with us today.