Securing Your Site with Clef

Delphineous SilverwingGood Ol' Geek


This article is only about protecting your site from login-based hacks. There are a number of other methods which hackers use to attack sites. Be sure to research other ways to handle other vulnerabilities and keep your software versions current.

No one, including me, can guarantee that you and your web-site will not become a victim of malicious attack. The information I provide in this article is based on my experience with technology and securing computers in the last 30+ years. This information is presented in an effort to educate people and help them protect themselves.

Brand and product names mentioned within this article are property of their respective organizations. The presence of these names does not imply edorsement by the organization of me or this article.

Currently WordPress is the most popular content management system (CMS) and a common target for hackers. When I started using WordPress for my blog, I looked for an easy and inexpensive way to protect the site from login-based hacking.

In comes Clef. The FREE tier is all I needed to protect my logins and possibly all you need too, though premium features are available to add support and monitoring.

Clef is a unique authentication method that is simple to use and provides two-factor protection. Running on an RSA key architecture, an application on your smartphone uses a PIN or your fingerprint plus your phone's camera and the image on your computer screen to login to the web-site.

As of this writing, Clef is available as a plug-in for Drupal, Joomla, Magento, Plesk and WordPress. Check the Clef web-site for download links and new plug-ins.

The User Experience

When accessing a site protected by Clef, the user is greeted with the login interface. This will be a box in the middle of the browser window with vertical lines moving up and down.
ClefBars.jpgThe user then launches the Clef application on their smartphone. The user will either enter a PIN or scan their fingerprint (on fingerprint capable devices). If the PIN or fingerprint is incorrect, the user will be unable to activate clef logon.
ClefPIN.jpgOnce unlocked with the correct PIN or fingerprint, the Clef application will begin using the smartphone's camera with a similar moving vertical bar pattern overlay. The user will point the phone's camera at their monitor and lineup the on-screen bars with the phone's bars.
ClefCam.jpgOnce authentication is complete, the vertical bars leave the smartphone screen and merge with the bars on the computer screen and then access to the site is granted. When accessing the site from a unrecognized computer or browser, the user is prompted to verify the URL to prevent phishing.
ClefURL.jpgBy default, Clef will automatically log the user out of the site after an hour. The user can adjust the time they expect to need access to the site directly on their smartphone.
ClefIn.jpgBefore you are logged out, the user receives a notification on their smartphone that they will be logged out, giving them a chance to increase the time to remain logged in. Clicking 'Log out now' will end their session on the site.

How To Install

Simply put - Install, activate and setup the Clef plugin just like any other plugin on your WordPress site.

It is very easy to install the plugin and configure it.
  1. If not already installed, Install the Clef application from the Google Play or Apple App Store onto your smartphone.
  2. Log onto your WordPress site as an Administrator.
  3. Go into the Plugins portion of the administration console.
  4. Click 'Add New' and search for Clef.
  5. Click 'Install Now' for the Clef plugin.
  6. Click 'Activate plugin' after the install completes.
  7. Upon Activation, click the 'Get Started' button.
  8. Setup will walk you through the rest of the configuration.

Special Considerations

When using Clef on your site, there are a some settings to consider.

Disable Passwords

Disabling password access is important for ensuring that Clef is protecting your site. If you continue to allow username and password access, then you will not be forcing two-factor authentication and your site will be less secure.

Disable passwords for Clef users - ensures that people that are registered with Clef can only access the site with their Clef credentials.

Disable passwords for all users with privileges greater than or equal to - This setting ensures that users with certain privilege levels use Clef, while allowing lower users to use username and password access.

Typically, you wouldn't want to force a subscriber to use two-factor authentication. This would discourage general users from visiting your site. Only higher privileged accounts need greater protection.

Disable passwords for all users and hide the password login form - This forces everyone to use Clef for authentication. As mentioned in the prior setting, this could discourage visitors.

Allow passwords for API - The WordPress mobile app does not support Clef. Enabling this setting allows the mobile app or other API requests to access the site with username and password.

Override URL

There may be an emergency situation, like your phone battery dies or you have no cell signal, but you must access the web-site. After activation and configuration, be sure to setup the Override URL, just in case it is needed. This Override URL bypasses the smartphone sync and allows username/password authentication.

  1. Go into the Clef portion of the administration console.
  2. Scroll down to the Override URL and click the 'generate a secure override url' link.
  3. Record the override url, including unique code, and store in a safe place.

How It Protects Your Site

From a high-level point of view ... When the application is installed on a smartphone and registered, a digital 2048-bit RSA key is created which is registered only to that phone/user. An algorythm combines the private key with the current timestamp creating a time-sensitive "signature" that is tied to the computer that is being used to login. This "signature" identifies the user to the Clef system by matching the public key and timestamp combination processed at Clef.

If a man-in-the-middle attack intercepts the secret (current Clef signature), the secret would be invalid if used on a system other than the one tied to the signature, additionally the timestamp of the signature would no longer be valid.

The PIN (or fingerprint) used to unlock the application on the smartphone protects the private key. Only the person in possession of the phone can access the key and generate the signature. With no form presented for login, there is no opportunity for brute force attack.

For a closer look at how this system works, read the whitepaper published on Clef's website.
Delphineous SilverwingGood Ol' Geek

Comments (2)

Delphineous SilverwingGood Ol' Geek


Unfortunately, Clef has announced that it is shutting down, effective 06 June 2017. I have enjoyed using the product to help protect my sites.
Jason C. LevineDon't talk to me.

Switch to WordFence premium.  They have a two-factor SMS or Google Authenticator option.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.