Log Into WordPress By Touch or Face ID Via the Passwordless WP Plugin

Last week, WP Busters released its first plugin titled Passwordless WP. It is a project from full-stack developer Ilya Zolotov that allows end-users to log into their WordPress websites via Touch ID, Face ID, or pin. The goal is to make accessing a site easier and more secure.

Zolotov built the plugin after checking his email on a public database and finding old passwords. He said he now uses a safe browser for work purposes without extensions and scripts. He also said the millions of credentials stolen or compromised every year was a motivator for building the plugin.

“I like this feature of my laptop, and I am using it every day,” he said. “As well, I am using it to avoid entering the ‘root’ password in terminal using my finger, it’s comfortable and any sniffer can’t capture my password.”

Last year, he decided to check browser support for handling passwordless logins but was disappointed that Safari on iPhone only supported external USB keys at the time. He concluded that the technology was not ready yet.

“In Apple’s summer news, I saw the update: the platform authenticator would be available in iOS 14 and BigSur on Safari, and passwordless authentication is working in Chrome now. Also, Microsoft will release Windows Hello support. 2020 is the passwordless year. Awesome!”

He then began work on developing the first version using stable cryptographic libraries and building a simple user experience. He believes the technology that allows this plugin to work will be widely supported from now on.

Zolotov assures users that it is a fast, secure, and certified protocol. The plugin does not store any personal data on the server or link to third-party services.

“Other plugins which use SMS or Email to log in, send you code or link,” he said when asked about how Passwordless WP differs from similar plugins. “They make your life harder because you need to do more clicks — open email and link, unlock phone, etc. I prefer to enter a password using my manager, which uses my Touch ID.”

Other plugins using the same technology do exist. WP-WebAuthn, for example, has a few additional features and has been around for about seven months.

How Passwordless WP Works

Using touch/fingerprint to log into WordPress via the Passwordless WP plugin.
Logging into the site via fingerprint.

The plugin requires HTTPS, unless in use in a localhost test environment. It also has a minimum requirement of PHP 7.2. Outside of that, it will work for any WordPress installation. Passwordless logins are handled on the user level, which means that each user on a WordPress site must register a token from their profile page.

The process is simple and takes only moments. Once on the register token screen, users merely need to click a button and choose the authentication method from their operating system.

Registering a token for a user account via the Passwordless WP plugin.
Registering a token for a user account.

From that point forward, when logging into the site, it is merely a matter of clicking on a username and using your Touch ID or Face ID to log in.

The following is a quick video of the plugin in action:

My experience is with Google Chrome on Windows. The latest release, version 1.1.6, is working well. The previous version had an issue with a missing PHP extension in testing, but the plugin author fixed it quickly and sent out an update once I notified him of the problem.


10 responses to “Log Into WordPress By Touch or Face ID Via the Passwordless WP Plugin”

    • The idea is good and secure.

      The issue is though that the user may be unfamiliar with the implications of the technology.

      Basically authentication can become paired to an account on a device. Therefore a user who did not understand this could expose his WordPress account if the account on the device is shared.

      Not really an issue for face or fingerprint ids which can’t really be shared but a shared pin on a device then means everyone with the device pin can access the WordPress account.

  1. Gave this a quick spin this morning and appears to work great on standalone sites and multisite primary sites.

    For subsites on multisite, if the user is the same as the primary site it fails to store the token (i presume due to one already existing but not linked to subsite).

    Really looking forward to seeing where this goes as it’s a great experience.

    One thing to note, if you do not have a Nickname set in the user profile it displays the existing username on the login page.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: