Linux 软件免费装
Banner图

Two Factor Auth

开发者 oskarhane
更新时间 2014年7月29日 20:54
PHP版本: 3.1.0 及以上
WordPress版本: 3.9.1
版权: GPLv2 or later
版权网址: 版权信息

标签

secure security login password hacking security plugin authenticate auth two factor auth

下载

1.0 1.1 2.0 2.1 3.0 3.0.1 3.0.2 3.0.3 3.0.4 4.0 4.0.1 4.1 4.1.1 4.1.2 4.2 4.2.1 4.2.2 4.2.3 4.2.4 4.3 4.3.1 4.3.3 4.3.4 4.3.5 4.4 4.0.2 4.3.2

详情介绍:

Secure WordPress login with this two factor auth. Users will have to enter an One Time Password when they log in. Why You Need This Users can have common or weak passwords that lets hackers/bots brute-force your WordPress site and gain access to your files and place malware there. Just like happend not that long ago: Article on TechCrunch If all sites would have used this plugin, this would never happend. It doesn't matter how weak your users passwords are, no one can gain access to your WordPress site without already having access to the users mobile phone or email inbox (depending on how the user gets his OTP). How Does It Work? This plugin uses the industry standard algorithm TOTP or HOTP for creating One Time Passwords. A OTP is valid for a certain time and after that a new code has to be entered. You can now choose to use third party apps like Google Authenticator which is available for most mobile platforms. You can really use any third party app that supports TOTP/HOTP that generates 6 digits OTP's. Or, as before, you can choose to get your One Time Passwords by email. Since you have to enter a secret code to third party apps, email is the default way of delivering One Time Passwords. Your users will have to activate delivery by third party apps themselves. Easy To Use Just install this plugin and you're all set. There's really nothing more to it. If you want to use a third party app, goto Two Factor Auth in the admin menu and activate it and set up your app. General settings can be found uner Settings -> Two Factor Auth in admin menu. Settings for each individual user can be found at the root level of the admin menu, in Two Factor Auth. A bit more work to get logged in, but a whole lot more secure! If you use WooCommerce or other plugins that make custom login forms, you will not be able to login through those anymore. I will be adding a plugin that puts a One Time Password field to WooCommerce. If you use some other plugin that needs support for this, let me know in the support forum. TOTP or HOTP Which algorithm you and your users choose doesn't really matter. The time based TOTP is a bit more secure since a One Time Password is valid only for a certain amount of time. But this requires the server time to be in sync the clients time (if the OTP isn't delivered by email). This is often hard to do with embedded clients and the event based HOTP is then a better choice. If you have a somewhat slow email server and have chosen email delivery, you might not get the TOTP in time. Conslusion: Choose which ever you want. TOTP is a little bit safer since OTP:s only are valid for a short period. Note that email delivery users always uses the site default algorithm, which you can set on the settings page. Third party apps users can choose which one they want. Is this really Two Factor Auth? Before version 3.0 this plugin had 'kind of' two factor auth where the OTP was delivered to an email address. Since version 3.0 you can have real two factor auth if you activate the Third Party Apps delivery type. Read more about what two factor auth means >>. See http://oskarhane.com/plugin-two-factor-auth-for-wordpress/ for more info.

安装:

Easy installation. This plugin requires PHP version 5.3 or higher and support for PHP mcrypt.
  1. Upload two-factor-auth.zip through the 'Plugins' menu in WordPress
  2. Activate the plugin through the 'Plugins' menu in WordPress
or
  1. Search for 'Two Factor Auth' in the 'Plugins' menu in WordPress.
  2. Click the 'Install' button. (Make sure you picks the right one)
  3. Activate the plugin through the 'Plugins' menu in WordPress

屏幕截图:

  • The admin login page.
  • The admin login page when the username and password is entered and an OTP is asked for.
  • User settings page where they choose delivery type.
  • Admin settings page.

升级注意事项:

4.4
  • You can now change the OTP sender email address and name. Spanish translation added.
4.3.5
  • Inserting the TFA Form as first element in form. Enables sending the form with return-key in all browsers.
4.3.4 4.3.3
  • Last release introduced a email login bug that is fixed in this version.
4.3.2
  • You can now enter an email address instead of an username to generate an OTP email.
4.3.1 Successfully tested in WP 3.8 4.3 New login layout. The OTP field won't be visible until username and password is entered. 4.2.4 Successfully tested in WP 3.7. 4.2.3 Successfully tested in WP 3.6. 4.2.2 XMLRPC users wont be affected anymore. Settings for XMLRPC can be found in Settings->TFA. 4.2.1 This update will check for OTP:s regardless from where you login. Up to 4.2 custom login forms could bypass the TFA, but not anymore. If you use i.e. WooCommerce, your customers won't be able to login anymore. I will add a separate plugin to support other login forms. 4.2 Support for HOTP added. You can choose if HOTP or TOTP should be used as default. 4.1.2 German and Chilean Spanish translations added and css bug on OTP button in some browsers (break the float) fixed. 4.1.1 Button on lost password page is now enabled. 4.1 Language supprt and WP 3.1.0 needed. 4.0.2 Added PHP version and mcrypt support checks at activation. 4.0.1 Button on login page is now blue to be more clear. Some types fixed as well. 4.0 You must run database change script after upgrade. The script encrypts the keys in the database. You will be prompted with a button to run it. Until you do, TFA won't be active. 3.0.4 Fixed a bug where a OTP could be used twice. 3.0.3 Added limitation to one login per time window. 3.0.2 Fixed a bug where som users email never got sent. 3.0.1 Fixed so users get alerted of they don't enter a username before clicking the OTP button on the login page. 3.0 Major changes. See changelog for more info. 2.1 A few bugs fixed and changed how the plugin behaves when a wrong code was entered. 2.0 Nothing special to consider. Just upgrade as usual. 1.1 Nothing special to consider. Just upgrade as usual. 1.0 Just released.

常见问题:

Can I have real Two Factor Auth?

Yes, since version 3.0 you can activate real Two Factor Auth by activating third party apps option under "Two Factor Auth" in admin menu. Don't forget to set up your app with the secret key.

Oops, I lost my phone. What to do?

Hopefully you saved the three Panic Codes when you activated third party apps. Use one of them.

If I can't reach my email account, can I bypass this plugin and log in anyway?

If you have Panic Codes, you can use them. Otherwise, no.

更新日志:

4.4 4.3.5 4.3.4 4.3.3 4.3.2 4.3.1 4.3 4.2.4 Just added "Tested up to" tag in readme since it works fine in WP 3.7. Next version with some updates will come soon. 4.2.3 4.2.2 4.2.1 4.2 4.1.2 4.1.1 4.1 4.0.2 4.0.1 4.0 3.0.4 Fixed a bug where a OTP could be used twice. 3.0.3 3.0.2 3.0.1 Fixed so users get alerted of they don't enter a username before clicking the OTP button on the login page. 3.0 2.1 2.0 1.1 1.0