Adding a second authentication factor to WordPress

UPDATE: I’ve added the plugin to the WordPress.org repository. If it gathers interest/attention then I may develop it further and add more stuff like SMS gateway support, configuration, etc… See: http://wordpress.org/extend/plugins/second-factor/

I really don’t know why, but the idea of adding a second authentication factor to WordPress blogs took hold of my brain tonight and needed an outlet. So I made this little proof of concept plugin: Second Factor. What it does is pretty simple:

  1. When you log in it goes through a series of cryptographic routines and generates some info which is stored in the database as a user option.
  2. A key is generated for you, and an email is sent to your listed email address.
  3. When you attempt to access a page while logged in it blocks you, asking for the key that was emailed to you
  4. Finally after entering this second authentication token you are allowed access to the site

I could see this being extended to Instant Messaging, SMS, IRC, or even integrated with a text-to-phone service to make an actual phone call which reads off the numbers to you.

What I don’t know is if anyone actually wants this… If this is even worthwhile. For me it was mainly a thought experiment. Would you want to have this kind of added security on your WP Installation?

4 thoughts on “Adding a second authentication factor to WordPress

    • @Titanas Exactly. It's not a panacea by any means, but another layer of security. With the added benefit that unless a hacker was very very careful even with direct access to the database they would still trigger an email message being sent to you. Sorry it took a while to reply, didn't notice the comment notifications for this post for some reason.

  1. It might actually be useful as an authenticator for a wifi service. You could register your MAC address and every once in a while the network could ask you for that key. Hmmm.

Leave a Reply to Craig PlunkettCancel reply