This article is only about protecting your site from login-based hacks. There are a number of other methods which hackers use to attack sites. Be sure to research other ways to handle other vulnerabilities and keep your software versions current.
No one, including me, can guarantee that you and your web-site will not become a victim of malicious attack. The information I provide in this article is based on my experience with technology and securing computers in the last 30+ years. This information is presented in an effort to educate people and help them protect themselves.
Brand and product names mentioned within this article are property of their respective organizations. The presence of these names does not imply edorsement by the organization of me or this article.
Currently WordPress is the most popular content management system (CMS) and a common target for hackers. When I started using WordPress for my blog, I looked for an easy and inexpensive way to protect the site from login-based hacking.
In comes Clef. The FREE tier is all I needed to protect my logins and possibly all you need too, though premium features are available to add support and monitoring.
Clef is a unique authentication method that is simple to use and provides two-factor protection. Running on an RSA key architecture, an application on your smartphone uses a PIN or your fingerprint plus your phone's camera and the image on your computer screen to login to the web-site.
As of this writing, Clef is available as a plug-in for Drupal, Joomla, Magento, Plesk and WordPress. Check the Clef web-site
for download links and new plug-ins.
The User Experience
When accessing a site protected by Clef, the user is greeted with the login interface. This will be a box in the middle of the browser window with vertical lines moving up and down.
The user then launches the Clef application on their smartphone. The user will either enter a PIN or scan their fingerprint (on fingerprint capable devices). If the PIN or fingerprint is incorrect, the user will be unable to activate clef logon.
Once unlocked with the correct PIN or fingerprint, the Clef application will begin using the smartphone's camera with a similar moving vertical bar pattern overlay. The user will point the phone's camera at their monitor and lineup the on-screen bars with the phone's bars.
Once authentication is complete, the vertical bars leave the smartphone screen and merge with the bars on the computer screen and then access to the site is granted. When accessing the site from a unrecognized computer or browser, the user is prompted to verify the URL to prevent phishing.
By default, Clef will automatically log the user out of the site after an hour. The user can adjust the time they expect to need access to the site directly on their smartphone.
Before you are logged out, the user receives a notification on their smartphone that they will be logged out, giving them a chance to increase the time to remain logged in. Clicking 'Log out now' will end their session on the site.
How To Install
Simply put - Install, activate and setup the Clef plugin just like any other plugin on your WordPress site.
It is very easy to install the plugin and configure it.
- If not already installed, Install the Clef application from the Google Play or Apple App Store onto your smartphone.
- Log onto your WordPress site as an Administrator.
- Go into the Plugins portion of the administration console.
- Click 'Add New' and search for Clef.
- Click 'Install Now' for the Clef plugin.
- Click 'Activate plugin' after the install completes.
- Upon Activation, click the 'Get Started' button.
- Setup will walk you through the rest of the configuration.
When using Clef on your site, there are a some settings to consider.
Disabling password access is important for ensuring that Clef is protecting your site. If you continue to allow username and password access, then you will not be forcing two-factor authentication and your site will be less secure.
Disable passwords for Clef users - ensures that people that are registered with Clef can only access the site with their Clef credentials.
Disable passwords for all users with privileges greater than or equal to - This setting ensures that users with certain privilege levels use Clef, while allowing lower users to use username and password access.
Typically, you wouldn't want to force a subscriber to use two-factor authentication. This would discourage general users from visiting your site. Only higher privileged accounts need greater protection.
Disable passwords for all users and hide the password login form - This forces everyone to use Clef for authentication. As mentioned in the prior setting, this could discourage visitors.
Allow passwords for API - The WordPress mobile app does not support Clef. Enabling this setting allows the mobile app or other API requests to access the site with username and password.
There may be an emergency situation, like your phone battery dies or you have no cell signal, but you must access the web-site. After activation and configuration, be sure to setup the Override URL, just in case it is needed. This Override URL bypasses the smartphone sync and allows username/password authentication.
- Go into the Clef portion of the administration console.
- Scroll down to the Override URL and click the 'generate a secure override url' link.
- Record the override url, including unique code, and store in a safe place.
How It Protects Your Site
From a high-level point of view ... When the application is installed on a smartphone and registered, a digital 2048-bit RSA key is created which is registered only to that phone/user. An algorythm combines the private key with the current timestamp creating a time-sensitive "signature" that is tied to the computer that is being used to login. This "signature" identifies the user to the Clef system by matching the public key and timestamp combination processed at Clef.
If a man-in-the-middle attack intercepts the secret (current Clef signature), the secret would be invalid if used on a system other than the one tied to the signature, additionally the timestamp of the signature would no longer be valid.
The PIN (or fingerprint) used to unlock the application on the smartphone protects the private key. Only the person in possession of the phone can access the key and generate the signature. With no form presented for login, there is no opportunity for brute force attack.
For a closer look at how this system works, read the whitepaper
published on Clef's website.