Authyo Passwordless Login
| 开发者 | konceptwise |
|---|---|
| 更新时间 | 2026年2月9日 20:40 |
| PHP版本: | 7.2 及以上 |
| WordPress版本: | 6.9 |
| 版权: | GPL v2 or later |
| 版权网址: | 版权信息 |
详情介绍:
Authyo Passwordless Login enables a modern, secure passwordless authentication system for WordPress using email-based one-time passwords (OTP).
Users simply enter their email address, receive an OTP via email, verify the code, and are automatically logged in — no passwords required at any stage.
This plugin is officially developed and maintained by Konceptwise Digital Media Pvt. Ltd. and uses Authyo’s secure OTP authentication services.
Key Features
- Fully passwordless WordPress login using email OTP
- No passwords stored or required
- Secure token-based authentication (single-use, time-limited)
- OTP delivered via Authyo’s secure email service
- Fallback Method: You can set your two-factor authentication app as a fallback method if you have trouble with email OTPs.
- Works with default WordPress login page
- AJAX-powered login flow (no page reloads)
- Automatic dashboard redirect after login
- Enable / disable passwordless login anytime
- Compatible with custom login URL plugins (e.g., WPS Hide Login)
- User enters their email address on the WordPress login page
- Authyo sends a one-time password (OTP) via email
- User verifies the OTP
- WordPress logs the user in automatically using a secure, single-use token
安装:
Manual Installation
- Download the plugin files
- Upload the authyo-passwordless-login folder to /wp-content/plugins/ directory
- Activate the plugin through the 'Plugins' menu in WordPress
- Navigate to Settings > Authyo Passwordless Login to configure the plugin
屏幕截图:
常见问题:
How does passwordless login work?
- Users enter their email address on the login page
- An OTP code is sent to their email via Authyo
- Users enter the OTP code to verify their email ownership
- After successful OTP verification, a secure single-use token is generated
- Users are automatically redirected and logged in to WordPress
- No password is ever required - fully passwordless authentication
Can I use this with custom login pages?
Yes, you can use the shortcode [authyo_login] on any page or template, or use the PHP function authyo_passwordless_login_form() in your theme templates.
What happens if a user doesn't receive the OTP?
Users can click the "Resend OTP" button to request a new OTP code. The OTP expires after 5 minutes (as configured with Authyo). The login token expires after 5 minutes if not used, and is deleted immediately after successful login for security.
Is this plugin secure?
Yes, the plugin implements multiple security layers:
- Nonce verification for all AJAX requests (prevents CSRF attacks)
- Email address validation and user existence verification
- Secure transient storage for OTP sessions (10-minute expiry)
- Cryptographically secure token generation using WordPress core functions
- Browser-bound tokens: Tokens are validated against a hashed User-Agent to prevent cross-browser replay attacks
- Single-use tokens that are deleted immediately after successful login
- Time-limited tokens (5-minute expiry) to prevent long-term exposure
- Token format validation to prevent injection attacks
- Authentication completed using WordPress core authentication mechanisms
- Replay attack prevention through immediate token deletion and User-Agent signature validation
更新日志:
1.0.3
- Added video tutorial to readme
- Improved Google Authenticator fallback logic to hide on non-existent users
- Minor bug fixes
- Added two factor authenticator as backup method
- Performance improvements
- Performance improvements
- Screenshot addon
- Initial release
- Fully passwordless login with OTP verification
- Secure token-based automatic authentication
- Single-use, time-limited login tokens
- WordPress login page integration
- Custom login shortcode [authyo_login]
- Admin settings page
- AJAX-powered authentication flow
- Immediate dashboard redirect after login
- WordPress.org security compliance
- Replay attack prevention
- Cryptographically secure token generation