Google recently made a splash in the security scene when they announced none of their 85,000+ employees have been successfully phished on their work-related accounts since early 2017.
It’s the kind of magic sauce we all long to boast about for our clients’ WordPress sites. What was the secret to Google’s success and how can I get that level of protection for my sites you ask?
It wasn’t sorcerers guarding the Google HQ. The answer is Universal 2nd Factor (U2F) physical security and it turns out it’s WordPress ready. So why isn’t everyone using this impenetrable layer of security?
I want the ultimate in WordPress security. So I did some research and got myself a key.
It’s pretty epic…but it is not all pros.
In this article, we’ll look at U2F, the magic of physical security keys, how you can set up a 100% phish proof WordPress site, the benefits and why it is not right for everyone.
- 1 Table of contents:
- 2 What is a Universal 2nd Factor (U2F) Physical Security Key?
- 3 What Do U2F Security Keys Protect Against?
- 4 How Do U2F Security Keys Work?
- 5 No, I mean – technically, HOW does it work?
- 6 U2F and WordPress Security
- 7 What are the drawbacks and barriers to entry of Security Keys?
- 8 U2F vs OTP’s
- 9 What’s Wrong With 2FA on Smartphones?
- 10 Who Are Physical Security Keys Like YubiKeys For?
- 11 Better Solutions for WordPress Security
Table of contents:
What is a Universal 2nd Factor (U2F) Physical Security Key?
U2F is an authentication standard that lets users securely access their online accounts instantly with a security key – no drivers or client software needed.
You just register a physical device with the online service that supports the protocol. It was created by Google and Yubico and now it’s hosted by the FIDO Alliance.
Basically, U2F security keys are physical USB keys that look like a flash drive. You can only access your account by tapping the key while it’s plugged in.
As an end user, it feels like a dedicated device for 2-Factor Authentication. Instead of using your phone and the Authenticator app, you carry around a physical key.
What Do U2F Security Keys Protect Against?
U2F Security Keys protect from various types of hacks and attacks: session hijacking, man-in-the-middle, malware attacks, and most notably phishing (a site or email that mimics a legitimate account with the purpose of tricking you into sharing your credentials).
Think you would never fall victim to a phishing attempt… think you’re too smart for that?
According to this report, ninety-seven percent of consumers were unable to correctly identify phishing emails. Ninety-seven percent?!
With a Physical key, like the YubiKey, your login information can’t be taken by a copycat login screen because it only works on registered sites. The authentication will fail on fake sites even if you’re fooled into thinking it’s real.
This greatly mitigates against the increasing volume and sophistication of phishing attacks and stops account takeovers.
How Do U2F Security Keys Work?
Once you set up your Security Key the only thing you need to do is to plug it into your computer (or tap the phone!) and press a button.
No, I mean – technically, HOW does it work?
For this post, I don’t want to get lost in the technical details but at a high level, Security Keys support two commands which are provided to web pages as browser APIs:
- Registration – Your Security Key generates a fresh asymmetric key pair and returns the public key. The server associates this public key with your physical key and user account.
- Authentication – When you go to login, your Security Key will test for the USB stick and your physical presence. If verified, the private key is sent to unlock your account.
Sounds complicated, but this all happens almost instantaneously.
If you’re looking for more detail Google released this paper. For more tech-savvy folk, full specifications of YubiKeys can be found on fidoalliance.org.
U2F and WordPress Security
I wanted to give it a go on my site. So I purchased a YubiKey of my own.
Seeing as this was an experiment and I am not super technical I wasn’t ready to attack manual set up. I searched for a free plugin option on WordPress.org. The search ended pretty fast. There’s currently not a lot of options or information for WordPress so I went with the most popular free option, Two-Factor.
Now armed with my brand new key and the plugin I thought, “this shouldn’t be too hard”.
So, how do you use U2F and physical security keys with WordPress?
- Go to Users -> your Profile page
- Scroll down. You will see some new features. Under account management, there should be Two-factor options available now.
- Enable FIDO U2F and set as primary
- Scroll down to Security Keys and press the Register New Key button
- Plug in your FIDO U2F security key and tap the circle button on it
- Wait for the page to refresh and click Update Profile
Sounds easy enough. But I kept getting stuck at step 5! These instructions start with the assumption your key is registered.
It’s not complicated, but it had me tripped up. So here is my “noobs guide” to U2F setup for WordPress:
- Once you have your key in hand the first step is to register with Google
- To setup U2F on WordPress, you must be logged in as an administrator
- Use a browser with U2F support (Google Chrome is recommended. Make sure you have the latest version.)
- U2F requires an HTTPS connection
- You can’t add new security keys over HTTP
What are the drawbacks and barriers to entry of Security Keys?
While it’s fairly easy to implement there were some drawbacks.
This level of security is not free and providing security keys to everyone that needs access to your site could be costly – especially for large teams. Keys vary in price from $20 to $50. Plus, it’s recommended you keep a backup key for each of your users just in case their key is lost, damaged or stolen. If you run a team of 10 that would require 20 keys. Cha-ching.
If cost is not prohibitive, the next challenge is that security keys are still not widely adopted. While usage has increased setting-up security keys for other systems can be a painful and lengthy process. The good news is that things are improving and setting up security keys on Google, Facebook or Twitter is fairly straightforward.
Another thing to consider for teams or development agencies is management. Keys create a more complicated employee and client onboarding process. It also means finding a point person for setup and recovery. Hello middle managers.
Perhaps the most obvious hurdle, you can’t access your site without the security key. This is good for your site’s security but could be bad for convenience. Let’s say you just arrived at work and realized you left your key at home. You can’t call somebody to dictate a one-time password – because, there is no
spoon password! This could mean a few more hours of driving, which would negate all the extra seconds you have “stolen away” by using U2F over OTP in a single day.
Lastly, Handing out security keys to your WordPress clients could, obviously, be a potential problem.
So, why not just roll with One-Time Passcodes (OTP) or 2FA on my phone? These are valid options, but there are some disadvantages.
U2F vs OTP’s
One-Time Passcodes (OTP) are short numeric codes that are one-time use and are sent via text messages or generated on a separate physical device. While they are more secure than ordinary passwords, OTP’s aren’t perfect:
- They are vulnerable to phishing and man-in-the-middle attacks
- You have to carry around a dongle per each website/password
- SMS messages can be intercepted
In short, it’s not a 100% protection plan. While it offers another layer of security, if someone phishes access to your email or messages account they can still gain access to your (or your clients) WordPress back-end with an OTP code.
What’s Wrong With 2FA on Smartphones?
If you’re using a 2FA app on your smartphone like Google Authenticator, you might be asking this question. Short answer: nothing is wrong with 2FA, in fact, it offers a great layer of security if set up properly. This can be made stronger with things like disabling the OTP option – less convenient but more secure.
2FA is more flexible, but if you leave recovery options in the name of convenience it may leave you with a false sense of security.
Advantages U2F security keys have over Smartphones:
- Protecting application logic from malware is difficult on a general purpose computing platform
- A phone might not be reachable in the situations when the battery runs off or when there is no service
- Unlike most Smartphones, YubiKeys are water resistant and will allow you to kiss in the rain
Who Are Physical Security Keys Like YubiKeys For?
For most WordPress users, Defenders 2FA with Google Authenticator on your phone is more than enough. Dedicated security keys offer dedicated protection against phishing and man-in-the-middle attacks and are arguably faster and easier to use once you set them up and get used to them, but let’s face it, ordinary Joe probably doesn’t really need a YubiKey.
That said, if you’re running an agency with multiple administrators on high profile client sites it may be time to consider physical keys for your team.
Google’s own U2F case study showed, that on top of becoming a “no-phishing zone”, they also noticed accelerated employee productivity, reduced support compared to phone authentication, and even lower cost of ownership.
The benefits of the physical keys multiply with the number of employees/clients using keys and with the number of daily sessions each user commences.
Better Solutions for WordPress Security
U2F is most likely the technology of the future and it is growing rapidly in popularity. But for now, it doesn’t seem to provide enough benefits for small or midsize agencies, at least not for replacing a well-set-up 2FA.
If physical keys sound impractical or a bit excessive for your clients, Defender is the best option for securing your WordPress sites. The combination of one-click security tweaks, good password practices, 2-factor Auth along with our forced two-factor authentication for specific user roles, automated cloud backups, and free expert support clean-up is more than enough.
What do you think? Do the risks of phishing associated with your phone have you considering physical keys for your WordPress agency?
Why 100 is NOT a Perfect Google PageSpeed Score (*5 Min Watch)
Learn how to use Google PageSpeed Insights to set realistic goals, improve site speed, and why aiming for a perfect 100 is the WRONG goal.