yubikey-plugin

by apb360

Description

This is a plugin for WordPress that provides multifactor authentication with one-time passwords using the Yubikey USB token.
The plugin uses the Yubico Web service API in the authentication process.
The one-time password requirement can be enabled on a per user basis.

Installation

Buy a Yubikey
Create a Yubico ID & API Key
Unzip plugin into your /wp-content/plugins/ directory.
Enter Key ID on the Users -> Profile and Personal options page.
Enter Yubico ID & API key on the Settings -> Yubikey options page.
Id/key confused ? Well the Key ID is the first 12 chars from the output Your Yubikey generates,
they don’t change, the Yubico ID and API Key is used when communicating with the Yubico authentication server.

Screenshots

Entering Key ID on the profile page
Entering Yubico ID & API key on Yubikey options page.
The enhanced loginbox.
The Yubikey itself.

Faq

How much does the Yubikey cost ?

A single Yubikey is $40

Are there any special requirements for my WordPress/PHP installation ?

PHP5 with Hash & Curl libs enabled.

I have a lot of users on my WordPress installation, do they all need Yubikeys ?

No the plugin can be enabled on a per user basis.

Reviews

On some sites it works, other not

By mike2972 on April 12, 2023

On some WP sites it works, but on others it doesn't work. Must be a 'conflict' somewhere. Too bad there is no logging to see where it goes wrong. As soon as I rename the woo-yubi folder, to disable the plugin, I can login again.

simple and it works

By paranoidandroid88 on February 3, 2023

at first i wasnt' sure who i can trust. i mean this plugin is written by a stranger, not yubikey. So i got my unique api key from yubikey.co and installed it. Entered it into the plugin. enabled the user from user/profile, plugged in my key to generate a key, saved, logged out and logged back in and it worked. I tried any NON enabled user and of course did not enter a key via my key and got in. So here's my test that this plugin author is actually communicating with yubikey.co, I changed just one letter in my api id and tried logging in, and i could NOT. Soo... this tells me that it's trying to communicate with yubi apparently to authenticate, otherwise it would not know. Alternately, i could have deleted my api key from yubikey.co to test. regardless, it works seamlessly. I'm using WP 5.8.6

Didn't work for me

By GrampaB (jgbennette) on October 15, 2022

It appeared on the login screen but then caused login to fail "Incorrect Username or Password". I had to delete the plugin folder from the server to get in to my WP admin. I'm new to Yubikey so the error could be in how I use my new keys (though I added them both to the WP admin profile and the Yubikey API to the plugin settings page). I love the idea - wish it would work for me.

Love that I can use my YubiKey on WP

By idowebwork (mannweb) on April 3, 2020

Thanks for an amazing plugin. Hopefully the maintainer is looking and will update things to show they are tested as working with WP 5.4, since it does.

Working perfect with version 5.3.2

By kose (peprgb) on February 29, 2020

So nice to have the possibility of adding an extra layer of security to WordPress admin panel. Plugins is working perfect with version 5.3.2. I encountered some semantic issues, thus, using in WordPress "Yubico API ID and Yubico API key" vs "Client ID and Secret Key" on Yubico's site, not important.

Simple and flawless operation

By pabstm on February 6, 2019

Exactly what I was looking for. Just install, activate it and get/insert an API Key (which can be obtained in seconds). Subsequently every user can manage the Yubikey-Settings right in the profile. Nothing more, Nothing less.

Couldn't get it to work

By dhoogmoed on December 15, 2018

WP 5. and a Fairly old Yubikey. Installation and API activation worked without hassle but when entering the OTP on the login page it just fails to grant access. No obvious errors. I have no time to trouble shoot, so will look for an alternative 2fa.

Additional security for WordPress

By M. van Dam (michelangelovandam) on December 30, 2017

I love WordPress for it's simplicity to use and it's rich eco-system to achieve complex challenges, but always felt that a simple username and password combination was not enough to elevate the security of WordPress. Now with this Yubikey-Plugin, I'm finally able to add an additional factor to safeguard against unauthorised access. Many thanks to Adam Lyons for making this plugin available. It's really easy to set up and to activate 2FA per user account. I also notified Yubico to update their WordPress plugin link to this plugin.

Does what it has to do

By codedead on November 7, 2017

This plugin does exactly what it's supposed to do. Yubikey support has been added and it seems to be pretty secure as well (I hope). Let's hope for continued updates and compatibility for the latest WordPress versions. Thank you for your hard work for creating this plugin!

Changelog

2.3

Yubi API Version 2 Implemented

2.2

Darn SVN messing me up

2.1

Working with more recent API from YubiKey

0.96

Some depricated stuff removed.
Tab index on login page remove.

0.95

API key URL updated

0.94

Version mess fixed

0.93

Styling on descriptions added, once again thanks to Uwe Moosheimer

0.92

German translation by Uwe Moosheimer added

0.91

Tab index fix on registration page

0.90

Support for multiple Yubikeys per account.
Tested with WordPress 3.1.1

0.82

Russian translation contributed by M. Comfi http://www.comfi.com/

0.81

WordPress global var $is_profile_page has been changed into a constant
IS_PROFILE_PAGE. Thanks to Koen Vervloesem for reporting this.

0.80

More multiuser friendly version. Now, a Yubikey can be registered during
registration. An Administrator can disable the OTP requirement for other users

0.71

Initial release