WordPress News and Updates on Security: The Passwordless Login

When your website gets hacked, any number of things can happen. Sometimes the hacker defaces your site just to let you know that he was there. If this was all he did, then restoring your site from a backup and plugging the security hole that gave access to the hacker are all that’s required. On the other hand, hackers can do worse things such as installing malware, redirecting your traffic elsewhere, infecting and hijacking the computers of your traffic into their botnets, or stealing the confidential information of your customers.

Becoming a hacker doesn’t require coding skill or much in the way of specialized knowledge. You merely need to have the desire and a password cracking tool. This low barrier to entry has swelled the ranks of hackers and is why the brute force hacking technique of using software to guess login passwords is widely used. For now, long and complex passwords is a good defense against brute force attack.

The problem however, is that many people value convenience over security. They don’t want to be bothered with memorizing and re-memorizing long complex passwords that require periodic changing. Many people also have no wish to use password management tools. For the sake of convenience, people use simple passwords and often use a single password for all of their accounts. When a hacker cracks a password for one account, he has access to all of the person’s accounts.

Getting Rid of Passwords

One solution to this difficulty, is getting rid of passwords altogether. This eliminates the inconvenience of strong password use and makes brute force password cracking obsolete. How does passwordless logins work? While there are several methods, the simplest involves a login page that asks the user for his user name or email address. After verifying that the user has a valid account, he receives an email with a link and a pass code. The user clicks the link and then submits the pass code which is only valid for a short time (about 10 minutes). Once completed, the user is now logged in. There is no transmission of passwords or pass codes on any public web page — only a temporary pass code is used at a private location (supplied by the link in the email).

There is a WordPress plugin that uses this method but it never became popular. However, there’s another WordPress plugin called Clef which provides password-free, two-factor authentication. Once set up, logging into your WordPress account is quick and convenient. Its method of passwordless logins is quite different however. It requires the use of a mobile phone (with a Clef mobile app installed) and a computer.

Logging into your WordPress site involves visiting your login page (which has no password entry field) with your computer. There you will see a moving pattern called the Cleft wave. Authentication occurs when you hold up the camera of your mobile phone to the computer screen where your phone camera sees and syncs with the Cleft wave. At this point, you are logged in.

The technology behind Clef is complex but its ease of use has made it very popular. If the idea of convenient, password free logins, and invulnerability to brute force hacking appeals to you, give Clef a try. For more WordPress news and updates that make a difference in how you blog, contact us at WP Support HQ.