UPDATE: I’ve added the plugin to the WordPress.org repository. If it gathers interest/attention then I may develop it further and add more stuff like SMS gateway support, configuration, etc… See: http://wordpress.org/extend/plugins/second-factor/
I really don’t know why, but the idea of adding a second authentication factor to WordPress blogs took hold of my brain tonight and needed an outlet. So I made this little proof of concept plugin: Second Factor. What it does is pretty simple:
- When you log in it goes through a series of cryptographic routines and generates some info which is stored in the database as a user option.
- A key is generated for you, and an email is sent to your listed email address.
- When you attempt to access a page while logged in it blocks you, asking for the key that was emailed to you
- Finally after entering this second authentication token you are allowed access to the site
I could see this being extended to Instant Messaging, SMS, IRC, or even integrated with a text-to-phone service to make an actual phone call which reads off the numbers to you.
What I don’t know is if anyone actually wants this… If this is even worthwhile. For me it was mainly a thought experiment. Would you want to have this kind of added security on your WP Installation?
That's great and minimizes the risk of password phishing, dictionary attacks and stuff. Cool!
@Titanas Exactly. It's not a panacea by any means, but another layer of security. With the added benefit that unless a hacker was very very careful even with direct access to the database they would still trigger an email message being sent to you. Sorry it took a while to reply, didn't notice the comment notifications for this post for some reason.
It might actually be useful as an authenticator for a wifi service. You could register your MAC address and every once in a while the network could ask you for that key. Hmmm.
@Craig What are you thinking of doing? (sorry it took a while for me to respond, I didn't notice the comment notification.)