Authyo Passwordless Login
| 开发者 | konceptwise |
|---|---|
| 更新时间 | 2026年1月1日 16:03 |
| PHP版本: | 7.2 及以上 |
| WordPress版本: | 6.9 |
| 版权: | GPL v2 or later |
| 版权网址: | 版权信息 |
详情介绍:
Authyo Passwordless Login provides a secure, fully passwordless authentication system for WordPress. Users enter their email address, receive a one-time password (OTP) via email, verify the OTP, and are automatically logged in - no passwords required at any stage. The plugin uses secure, single-use tokens to enable automatic WordPress authentication after OTP verification, providing a seamless and secure login experience.
Key Features
- Fully Passwordless Authentication: Users verify email with OTP and are automatically logged in - no passwords required
- Secure Token-Based Login: Single-use, browser-bound tokens enable automatic authentication after OTP verification
- Secure OTP Delivery: OTP codes are sent via Authyo's secure email service
- Seamless Integration: Works with the default WordPress login page
- Custom Login Pages: Includes a shortcode [authyo_login] for custom login forms
- Easy Configuration: Simple settings page in WordPress admin
- Enable/Disable Toggle: Easily enable or disable passwordless login
- AJAX-Powered: Smooth, modern user experience without page reloads
- Immediate Dashboard Redirect: Automatic redirect to WordPress dashboard after successful authentication
- Compatible: Works with custom login path plugins (e.g., WPS Hide Login)
安装:
Manual Installation
- Download the plugin files
- Upload the authyo-passwordless-login folder to /wp-content/plugins/ directory
- Activate the plugin through the 'Plugins' menu in WordPress
- Navigate to Settings > Authyo Passwordless Login to configure the plugin
- WordPress 5.0 or higher
- PHP 7.2 or higher
- An active Authyo account with API credentials
屏幕截图:
常见问题:
How does passwordless login work?
- Users enter their email address on the login page
- An OTP code is sent to their email via Authyo
- Users enter the OTP code to verify their email ownership
- After successful OTP verification, a secure single-use token is generated
- Users are automatically redirected and logged in to WordPress
- No password is ever required - fully passwordless authentication
Can I use this with custom login pages?
Yes, you can use the shortcode [authyo_login] on any page or template, or use the PHP function authyo_passwordless_login_form() in your theme templates.
What happens if a user doesn't receive the OTP?
Users can click the "Resend OTP" button to request a new OTP code. The OTP expires after 5 minutes (as configured with Authyo). The login token expires after 5 minutes if not used, and is deleted immediately after successful login for security.
Is this plugin secure?
Yes, the plugin implements multiple security layers:
- Nonce verification for all AJAX requests (prevents CSRF attacks)
- Email address validation and user existence verification
- Secure transient storage for OTP sessions (10-minute expiry)
- Cryptographically secure token generation using WordPress core functions
- Browser-bound tokens: Tokens are validated against a hashed User-Agent to prevent cross-browser replay attacks
- Single-use tokens that are deleted immediately after successful login
- Time-limited tokens (5-minute expiry) to prevent long-term exposure
- Token format validation to prevent injection attacks
- Authentication completed using WordPress core authentication mechanisms
- Replay attack prevention through immediate token deletion and User-Agent signature validation
更新日志:
1.0.1
- Performance improvements
- Screenshot addon
- Initial release
- Fully passwordless login with OTP verification
- Secure token-based automatic authentication
- Single-use, time-limited login tokens
- WordPress login page integration
- Custom login shortcode [authyo_login]
- Admin settings page
- AJAX-powered authentication flow
- Immediate dashboard redirect after login
- WordPress.org security compliance
- Replay attack prevention
- Cryptographically secure token generation