Arwin Holmes
I could list all the things I am but I've done that all too much already. Instead, I'll tell you what I like to do. I enjoy bringing ideas to life. Not just any idea. But those that add value to this world.
NorthPoint DIGITAL
WordPress Two-Factor Authentication
Hi, I'm Arwin.
This is me before two-factor authentication.
Hi, I'm Andy.
This is my daughter before two-factor authentication.
we're talking about security
While there are many aspects to site security, we're going to focus on ONE. Your front door.
Password Security
Password Security is a Personal Choice.
It is our own individual responsibility to choose a unique, complex password.
Requirements and "strength meters" can't make your password secure.
TIP: Don't advertise your password requirements.
TIP: Don't forget to manage your users and roles.
most passwords are insecure
- Adding a 9th character to the 8-character password r$iOkmB_ could increase theoretical cracking time from 4 years to "centuries"
-
A long 22-character sentence (such as "there'snoplacelikehome") theoretically takes only 4 days to crack
How can i protect myself?
1. Use strong passwords
- No dictionary words, years, names.
- WP 3.7's new strength meter helps!
- Dropbox zxcvbn (DEMO ALERT)
- Try it. See crack time in real-time.
2. ADD ANOTHER FACTOR
ADDING ANOTHER FACTOR
The best authentication would be three factors:
-
Something you know (password)
-
Something you have (key)
-
Something you are (thumbprint)
TWO-FACTOR EXAMPLES
At the ATM, you have:
-
your card
-
your PIN
At the grocery store, you have:
- your checkbook
-
your photo ID
USING YOUR PHONE
-
In addition to knowing your password, you can use your mobile phone as a cryptographically secure access token.
-
Each new device you sign in with requires you to enter the code that is currently shown on your mobile phone.
-
The code that your phone shows will change every 30 seconds, and the server is sync'd to use the same mathematical formula.
-
If you lose your phone, it's like losing a key. You had better have a backup. You can have backup one-use scratch codes that you keep in a safe place.
ADDING TWO-FACTOR TO WORDPRESS
(self-hosted)
YOU HAVE PLUGIN OPTIONS
(here are just two)
- Two Factor Auth (DEMO ALERT)
- simple to set up
- doesn't support SMS but does email
- Authy Two Factor Authentication
- more difficult to set up
- supports SMS
Two-Factor ON WORDPRESS.COM
http://en.blog.wordpress.com/2013/04/05/two-step-authentication/
http://en.support.wordpress.com/security/two-step-authentication/
(DEMO ALERT)
- Install Google Authenticator on your phone
- Click on "Security Tab" in WP.com account settings
- Run through the Setup Wizard
- TIP: Print Backup Codes
- TIP: Generate App-Specific Passwords
MA.TT said this months ago
- Don't use "admin" as your username
- Change your passwords often
- Select strong passwords
- Enable two-factor authentication
what does security mean to you?
This me after two-factor authentication.
Yes, now I'm feeling secure.
THANK YOU
Arwin Holmes
@arwinholmes
Andy Magoon
@magoon
WE ARE WORDPRESS FANATICS
AND WE'RE HIRING
NorthPoint Digital
WE LEAD WITH EXPERIENCE
WPNYC: Two-Factor Authentication
By Arwin Holmes
WPNYC: Two-Factor Authentication
NorthPoint Digital's Arwin Holmes and Andy Magoon present on WordPress Two-Factor Authentication at the WPNYC Meetup on 11/19/2013.
