Keyy gives you 2-factor authentication with a difference. It replaces passwords with sophisticated RSA public-key cryptography, which results in stronger security and a better user experience.
[vimeo
https://player.vimeo.com/video/217465671]
Keyy does away with typing:
- Usernames
- Passwords
- One-time-passwords or other 2FA tokens
Instead, users log in simply using their mobile phone. It's easy!
- Install the Keyy app on your phone, available through Android or iOS (iPhone / iPad / iPod).
- Secure the app using either a fingerprint or a 4-number pin
- To log in, open the app and point it at the code shown on the screen.
Keyy gives you one-click access to all your WordPress websites simultaneously.
Security
Keyy has been built on RSA public-key cryptography, which is the same tried-and-tested technology underlying secure websites (SSL) and many other industry standards.
It involves a 2048-bit RSA digital key, which is created and stored on the user's mobile phone. Keyy doesn't keep a central database of user profile and login details, so you're not reliant upon any third parties. The digital key is secured in the Android Keystore or Apple Keychain, only accessible via each user's mobile phone protected by a fingerprint scan or a 6-digit PIN, so data remains safe even if the phone becomes lost or stolen.
Because it doesn't use passwords, Keyy protects against a host of common password-stealing hacks, including:
- Brute-forcing
- Weak credentials
- Key-logging
- Password re-use
- Shoulder-surfing
- Connection sniffing
By strengthening individual account security, Keyy keeps the entire network safe.
Hold your phone up to any computer and you're instantly logged in.
You need to have a device (e.g. phone or tablet) that uses either Android or iOS (e.g. iPhone, iPad).
N.B. This is our initial release. It is expected to be rough around the edges!
Please don't hit us with a bad review before giving us a chance to improve the product; we're very eager for your and suggestions feedback in the support channel.
In the coming weeks and months we will:
- Launch a single-sign on feature, so logging into one site with Keyy logs you into all sites on that device
- Ability to log on to a localhost site or other site without incoming Internet access (not currently possible)
- Various other smaller improvements also planned
Features
- Login by scanning a code with your phone (or other device). No passwords to remember!
- Industry-standard RSA encryption (assymetric keys) - your login key lives on your phone. There is no back-door access, even for us.
- No central point of failure. The login instruction (signed by your unique private key) goes directly from your phone to your website; no third-party server is involved. You don't get locked out if somebody else's server is down.
- Secret URL for de-activating Keyy: note and securely store this URL when you set up, and if you lose your phone later, you can use it to login using the ordinary WordPress username/password mechanism.
- If you lose your phone, you can also disable the plugin through your web hosting account. i.e. You can't be permanently logged out if you still have access to your WordPress install through your web hosting.
Premium Features
The Premium version of this plugin adds these extra features:
- Ability to choose whether to require a password as well as, or instead of, a scan
- Ability for administrators to impose scan/password policies on users (e.g. all editors require both)
- Scan codes also appear on the WooCommerce and Affiliates-WP login forms and Theme My Login widgets and secondary login forms
- Stealth mode: Hide the Keyy scan image until the user presses a key to reveal it
- Hide username/password fields and require Keyy for all users
- Mass contacting of all users with a connect scan code (useful when requiring Keyy of all users)
- Ability for admins to view and over-ride settings for a specific user
- Keyy admin pages do not show information about other products from our product family
- Ability to customise/brand the "What is this?" message
- Access to Premium support channels
Standard WordPress installation procedure: search for the plugin from your dashboard's plugin page, then press on "Install", then on "Activate".
Or, download the plugin zip and upload it via the plugin installer in your WordPress dashboard (in Plugins -> Add New -> Upload), and then activate it.
Requirements
- WordPress 4.4 or later (or possibly an earlier version if you also add the offical WP REST plugin - but we have not tested and cannot provide support for this).
- An Android smartphone or tablet, or an iPhone/iPad (or any device that runs Android or iOS apps).
- Your WordPress site must not have the REST interface disabled, and that interface must be reachable from the public Internet (or at least, have its URL reachable by your device running the app)
In previous versions, it was necessary to use WordPress's default pretty permalinks. However, that is no longer the case. Please make sure that you have updated Keyy on your sites (to 0.6.9 or later).