Cancel

Marcus Couch

The Daily Plugin: Launchkey, User Languages, Buy Him A Beer

It’s once again time to check out the newest and most recently updated plugins in the WordPress Plugin Repository. Today we have five additions that are worth taking a closer look at. But before you install these on a live site, make sure that you properly test them on a secondary staging site first. That way you know the plugin is an ideal match for you and can work well with the other plugins you already have installed. Remember that this post is not to be considered an endorsement or official review, but a sampling of the newest offerings from the Repository.

LaunchKey - Failure to LaunchLaunchKey is an authentication plugin that promises to “Kill All Passwords” for your WordPress logins. You begin by installing the plugin, downloading the app (iOS or Android) and then confirming your account via email. From there you are to login to launchkey.com and create an app API that will authenticate with your mobile device. Here’s where my investigation halted, at first at least. For the first 45 minutes, no matter what browser I tried, it would never let me log into my account on their website to create the API keys needed. I reached out to Launchkey on Twitter and finally had things working to API key stage after 3 uninstalls and re-installs. Once I had the API keys, it ground to a halt on my first attempt to retry wp-admin login. No matter what I did, {“error”:”invalid_request”} was the result in my browser when routing through their OAuth servers.

After 3 API key changes on their site, it finally worked. So how does it work once it actually gets going? It uses your mobile device to allow you to login to your site based only on your Launchkey username. Once the username is entered, your mobile device is alerted and a notification comes up allowing you to “slide up” a toggle that permits the login. It also allows you to log off simply by sliding the “lock” to the right. One early issue that I found was that no matter what site I had tried to login as, the iPhone app always identified the authentication request as coming from “Launchkey OAuth” rather than any particular site name or URL. I can see where this would get really confusing really fast when dealing with multiple domains. How would I know what site is being logged into? Once more, if I am logging out by sliding on the names, how can I tell what I’m logging out of? It’s an interesting app/plugin combo adding another layer of security to your installation, or at least lending all your site credential trust to a third-party funnel, which has it’s own risks attached to it when misused. I like the concept and appreciate the quick help of the Twitter support team in getting me operational. Personally though, I don’t see the need for the average WordPress user to implement this. It’s not worth the risks or the cumbersome setup time. That’s just my opinion and your own needs may vary. For me, the launch key was turned and the rocket never got very far off the pad.

It’s a neat app. Will I keep it installed? Not at the moment. I’ll check back with this one after they have a few revisions to see if they are ready for Prime Time. For now though, I’ll wait.

Buy Him A BeerBuy Him A Beer is the perfect plugin for Jeff to install on this site. I’d rather call this one “Buy Me some single-malt Scotch”, but for continuity sake, we’ll stick with the beer references. This plugin is not like your typical PayPal based donation prompt. It actually allows you to pick out what beer you would like to buy someone. From a domestic standard to a seasonal microbrew rarity, “Buy Him A Beer” is a fun way to encourage tips or donations in your WordPress installation. The plugin runs on the database at buyhimabeer.com to feed the beer data into the system, but no account signup is required. It’s a great way to prompt donations to your site and fun for the person making the donation. I’ve tested it and it also works for females too, despite the name. I forsee a whole series of this. Buy me lunch, send me a pizza, pay for my dry cleaning and perhaps even feed my starving dog with a nice selection of treats. Of course that’s the marketer in me, always going for those heartstrings in order to make a conversion. Who know if we’ll install this on WPTavern, but it’s worth a shot (or at least a beer).

User Language SwitchUser Language Switch allows you to change the language on the front end or the back-end with just a simple flick of the switch. This is truly helpful if you work with people who speak another language and you want to switch back and forth to edit and work on the same WordPress installation. It also allows you to translate posts back and forth with an association between the native language and the translated versions. Several years ago I worked with a team in Spain on a WordPress project that could have really used a plugin like this for the back-end that we could have toggled languages on. If it ever comes up again, I’ll be sure to give this one a try on a live site.

That will round out today’s batch of plugins. After all that struggle with LaunchKey, I really could use a beer. Anyone want to donate one? lol. Remember to say hello on Twitter @marcuscouch or leave your feedback here on WPTavern. We’ll see you tomorrow for the Friday edition to wrap up your week with some fun new plugins.

 

 

Category:
Tags: , , , ,
11

11 responses to “The Daily Plugin: Launchkey, User Languages, Buy Him A Beer”

  2. @Kevinjohn Gallagher

    No Languages Were Harmed®, in the production of this post.

    Esperanto came onto the scene in 1887.

    Nowadays Esperanto is seen by Esperantists as an alternative to the growing use of English throughout the world, offering a language that is easier to learn than English, and can also help preserve cultural heritage that can be endangered by English.

    That the English language plays the role it plays (for better & worse) is a social dynamic, rising to occasional minor drama, that predates the Internet by a couple centuries.

    Actually … as computer type setting and then outright digital printing literally snatched the great Chinese script & ultimately the language itself from the brink of extinction … the Internet & WordPress (and Linux) make a substantially more than passing contribution to everything-not-English.

    Create forum topic from comment

  4. Earlier today, I was just said to myself something along the lines of “Self, I wonder if there’s anyway I could use my RSA keyfob or some other token to login to my blogs?”

    After thinking it through for a while, I figured it wouldn’t work too well because I use too many computers, and I may not always have my keyfob (or phone, in the case of Launchkey) in front of me.

    I didn’t consider the problem with multiple blogs to log into, but that’s a valid concern too.

    At least it’s nice to see that people are thinking about the same things I am.

    Create forum topic from comment

  5. Interesting that you had so many problems – we also installed and reviewed the LaunchKey WordPress Plugin as soon as it was released as part of a series of tests and reviews of the LaunchKey system and did not experience any of the issues when installing it. With the constant attacks against the login processes of all types of websites, but WordPress and Joomla especially, a change to password less login systems is imperative. We have been using it on a couple of WP websites ever since, without any issues at all, so would encourage people to try it themselves.

    We do however agree that the issue of the iPhone app identifying the authentication request as coming from “Launchkey OAuth” rather than the specific site can get confusing and this is something that needs to be sorted out as soon as possible and is something that the developers told us via Twitter will be sorted.

    Create forum topic from comment

  6. @Havenswift Hosting – What can I say? It took an hour to get working. I’ve installed and tested over 10,000 plugins in the last 9 years, and I have a good grasp on how to get them working. It could have been hosting authentication, the app itself, or any number of factors that took forever to get going on Launchkey. Either way, Clef is my new standard for remote device login.

    Create forum topic from comment

  7. @marcuscouch sounds like you had a bad experience with your installation but wanted to ensure your readers had a different perspective from successful testing and implementation across multiple websites. Launchley, Clef and a few other similar systems are addressing a real need to change the way we think about logging into websites which is great, so each should be applauded and supported – which one is used should come down to personal choice as with other functionality covered by multiple plugins. Launchkey does remove the password completely from user accounts that are paired with a phone which removes the ability for the account to be hacked at all. In addition, it also has the optional authentication factors like an in-app combo or PIN lock in addition to geofencing which is the ability to restrict authentication within a specified geographical boundary. These three points make Launchkey better in our view than any other system currently available, but using any system that introduces multi-factor authentication is infinitely better than relying on username and passwords.

    Create forum topic from comment

  8. @Havenswift Hosting said:

    With the constant attacks against the login processes of all types of websites, but WordPress and Joomla especially, a change to password less login systems is imperative.

    We have been using it on a couple of WP websites …”

    The exploits against login processes are mainly a matter of walking through the mall parking lot, glancing into vehicles for folks’ keys hanging in the ignition.

    While there are elaborations of & alternatives to the login facility, and some are likely to be useful in some settings, an across-the-board abandonment of traditional password & username hardly seems an “imperative”. It doesn’t even sound very smart.

    A security measure used “on a couple” Internet sites enjoys what is known as “Security Through Obscurity”. The bad guys are not aware of it (and it’s too uncommon if they are), and thus are not putting any effort into subverting it. With success, and widespread deployment, comes the more-realistic test of its robustness.

    @Havenswift Hosting later asserts:

    … [A]ny system [such as Launchkey] that introduces multi-factor authentication is infinitely better than relying on username and passwords.

    While increased complexity does or can make it harder – initially – to conquer a security device, it also creates more opportunities for manipulation. If the multi-factorial aspect was the answer, Microsoft and Internet Explorer would have been bullet-proof, all along.

    Again, yes, there are pluses & minuses to be found or created, between different approaches or solutions, but “infinitely better”, like imperative, misstates the situation.

    Create forum topic from comment

  9. @Ted Clayton says

    The exploits against login processes are mainly a matter of walking through the mall parking lot, glancing into vehicles for folks’ keys hanging in the ignition.

    Yes of course this is often the case but in many ways these are exactly the sort of people that multi factor protection should help the most. How many people use very simple, easily guessed passwords and then use them on multiple websites. Of course these same people may never do anything different or put any additional protection in place, unless it is forced on them rather than being an opt in as it is on a few sites now. We could of course just tell them to not bother with any sort of password, in fact let’s not even bother with any login protection to admin functionality at all.

    Are you able to say without question that every single password you have ever used on every website is a “strong” password and is unique on every single website ? Even if this is the case (Can anyone ever say this ?) then if you read the recent research and results of hacking conferences, it is clear that even complex sentence type passwords can and are being cracked.

    an across-the-board abandonment of traditional password & username hardly seems an “imperative”. It doesn’t even sound very smart.

    How is it not smart ? Any additional login protection has got to be a good thing. In addition to single website logins being easily cracked due to simple passwords, what about the multitude of hacks into huge websites where millions of user passwords have been publically posted along with associated email addresses and usernames – these same login details are then used to try and hack into a multitude of other websites.

    A security measure used “on a couple” Internet sites enjoys what is known as “Security Through Obscurity”. The bad guys are not aware of it (and it’s too uncommon if they are), and thus are not putting any effort into subverting it. With success, and widespread deployment, comes the more-realistic test

    This plugin is new and we said “we” had used it on a few websites but there have been plenty of other installations but of course it hasnt yet been extensively tested. Of course the more it is used, the more it is targeted, that is the whole history of Windows and one that Android devices are now discovering. Are you advocating not doing anything different because it is new !

    If the multi-factorial aspect was the answer, Microsoft and Internet Explorer would have been bullet-proof, all along.

    Many large organisations are now introducing two factor authentication but regardless of this, IE security has little to do with this, so unclear what your point is here.

    Create forum topic from comment

  10. @Havenswift Hosting replied;

    How is it not smart ?

    First, for the same reason that taking the locks out of cars is not smart: the key-lock, like the login, works as intended. All that is asked, is that we actually use them. Both are quite effective, simple and familiar. The suggested response being promoted here, is to replace the part of the system that is not broken; that is functioning correctly & as-designed.

    Are you advocating not doing anything different because it is new !

    No, no – not at all! Like most of us here, I got a serious genetic thing going on for the new. Bring it on! :)

    No; I’m protesting the “imperative”, and the “infinitely better” angle. I think that your tool, and others responding to the same perceived needs, have potential and will find roles. I just can’t see … demanding that we go ripping the whole steering column outa the car, because some folks leave the key in the lock.

    Let’s talk a few moments about who “these” people are, with the bogus passwords & usernames. The big brute-force bot-net going around these days, glancing for the keys in the ignition …. it focuses on advanced, powerful, professional accounts. It hunts for the accounts of those who really & truly should know better. We aren’t talking about ‘little’ people, the twits that we’ll never get through to.

    Oh, no …. we are in fact talking about the super-elite domain-provider who left their top-level keys dangling from the steering column, necessitating that the New York Times and dozens of other tip-top domains on the planet, had to disable their DNS servers. In recent days. After the 100,000-strong bot-net got our hair all pointy.

    We are talking here about WordPress itself, and even Matt Mullenweg himself, who for years made the username on ALL installations, “admin”. You couldn’t change it to something better. Right now, we have important Network Administrators online with serious responsibilities …. who’s username was automatically set to “admin”, when they first installed the product, years ago.

    Simpler, incremental, proven improvements are immediately at hand. Evolution is preferable to Revolution. The scourge of weak usernames & passwords is easily ameliorated, by including some nice prompts & wizard-action at the Login. We can gently guide people to make better use of the “perfectly good tool”, already at their disposal …. and we should take those steps, before we either blame the tool that is not at fault, or scapegoat all “these” piddly users … who after all, really aren’t the scarier part of the laxity-phenomenon.

    Create forum topic from comment

  11. @Ted Clayton

    Firstly, LaunchKey is not our tool and we have no connection whatsoever to the company that developed this or any other similar type of password less login tool.

    the key-lock, like the login, works as intended. Both are quite effective, simple and familiar. The suggested response being promoted here, is to replace the part of the system that is not broken; that is functioning correctly & as-designed.

    Simple and familiar doesnt mean they cant be improved on as can be seen by the large number of adopters of two factor authentication to add security to password based systems. These are and will continue to become more common and it wont be long before this type of additional security becomes mandatory rather than optional on certain sites. To use your analogy, key-lock system obviously dont work by themselves as almost no car uses a standard old fashioned key – electronic keys backed up by immobilisers are widespread.

    The big brute-force bot-net going around these days, glancing for the keys in the ignition …. it focuses on advanced, powerful, professional accounts. It hunts for the accounts of those who really & truly should know better.

    That simply isnt true – almost all recent bot-net attacks go after any website using the targeted software. We have seen this across numerous WP sites but there are plenty of other reputable large studies showing this.

    The recent DNS issues with certain selected domains such as Twitter and the New York Times were completely different and in fact that experience completely supports the argument that the username / password system isnt robust.

    Melbourne IT, who were the domain name registrar through whom access was achieved, said that one of their reseller’s log-in credentials had been obtained, and that with them, the SEA could enter through the “front door” and carry out the attack.

    “If you’ve got a valid user name and password,” chief executive Theo Hnarakis told ABC (Australia), “the assumption from our systems is that you are the authorised owner and user of that domain name.”

    Of course continuing to use “admin” or any of a number of other common usernames is stupid and even without it being forced on users any longer by WP, it doesnt stop people from using them and whatever prompts are shown to people will not stop this. Another big problem is that very few people use completely randomised strong passwords made up of upper and lower case letters, numbers and special characters and yet we all still believe nobody can ever guess the password. This is mainly down to the large number of websites that people need to login to now – it is physically impossible to remember completely different usernames and passwords for every single site.

    This is where systems like LaunchKey, Clef and others really come into their own. For LaunchKey, you only need to remember one username across any website that uses that same system and no password. Access is then protected by a variety of multi factor authentications.

    If you want to carry on using usernames and passwords, then of course you are free to do so, that is the benefit of the WP plugin system !

    Create forum topic from comment

You may also like

Newsletter

Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.