If you run your own WordPress site, chances are you are using a pretty secure password to keep hackers from posting random stories to your blog. Still, even the best password isn’t as good as using Gmail-style two-factor authentication, but unless you are a programmer, chances are you don’t have the expertise to make this happen. Authy, which offers two-factor authentication as a service, is hoping to solve this by launching a WordPress plugin today that replaces the standard WordPress login with a more secure two-factor authentication login system.
Update: The folks at Duo Security tell us that they have found a vulnerability in Authy’s plugin. Authy is aware of this and is looking into the issue, but the company still tells us that its “recommendation is to still continue and install the plugin.”
Authy, just like Google Authenticator, for example, generates a new token for you every 20 seconds (you can use its mobile app or get an SMS with this code) and in order to log in, you need both your regular password and this 7-digit code from Authy, making it virtually impossible for a hacker to get into your account without also having access to your phone. This also renders standard phishing and key-logger attacks pointless, as the code constantly changes.
Installing the plugin, which is now available in the WordPress.org plugin repository, just takes a few clicks once you have signed up for an Authy account. As Authy founder and CEO Daniel Palacio told me earlier this week, his company is obviously an API-based service at heart (though it is also branching out into other online security markets now, too). It was pretty obvious to the team, however, that it took a considerable amount of expertise to integrate Authy into services like self-hosted WordPress sites, so they decided to launch this easy-to-install version for WordPress now. Authy plans to launch similar plugins for other services in the near future, too.
The basic Authy service is available for free, as long as you have fewer than 1,000 users and don’t need to log in more than 500 times per month. Larger sites will need to subscribe to Authy’s premium service, starting at $49 per month, but for most WordPress installs, the free tier should work just fine.