Last week, WP Busters released its first plugin titled Passwordless WP. It is a project from full-stack developer Ilya Zolotov that allows end-users to log into their WordPress websites via Touch ID, Face ID, or pin. The goal is to make accessing a site easier and more secure.
Zolotov built the plugin after checking his email on a public database and finding old passwords. He said he now uses a safe browser for work purposes without extensions and scripts. He also said the millions of credentials stolen or compromised every year was a motivator for building the plugin.
“I like this feature of my laptop, and I am using it every day,” he said. “As well, I am using it to avoid entering the ‘root’ password in terminal using my finger, it’s comfortable and any sniffer can’t capture my password.”
Last year, he decided to check browser support for handling passwordless logins but was disappointed that Safari on iPhone only supported external USB keys at the time. He concluded that the technology was not ready yet.
“In Apple’s summer news, I saw the update: the platform authenticator would be available in iOS 14 and BigSur on Safari, and passwordless authentication is working in Chrome now. Also, Microsoft will release Windows Hello support. 2020 is the passwordless year. Awesome!”
He then began work on developing the first version using stable cryptographic libraries and building a simple user experience. He believes the technology that allows this plugin to work will be widely supported from now on.
Zolotov assures users that it is a fast, secure, and certified protocol. The plugin does not store any personal data on the server or link to third-party services.
“Other plugins which use SMS or Email to log in, send you code or link,” he said when asked about how Passwordless WP differs from similar plugins. “They make your life harder because you need to do more clicks — open email and link, unlock phone, etc. I prefer to enter a password using my manager, which uses my Touch ID.”
Other plugins using the same technology do exist. WP-WebAuthn, for example, has a few additional features and has been around for about seven months.
How Passwordless WP Works
The plugin requires HTTPS, unless in use in a localhost test environment. It also has a minimum requirement of PHP 7.2. Outside of that, it will work for any WordPress installation. Passwordless logins are handled on the user level, which means that each user on a WordPress site must register a token from their profile page.
The process is simple and takes only moments. Once on the register token screen, users merely need to click a button and choose the authentication method from their operating system.
From that point forward, when logging into the site, it is merely a matter of clicking on a username and using your Touch ID or Face ID to log in.
The following is a quick video of the plugin in action:
My experience is with Google Chrome on Windows. The latest release, version 1.1.6, is working well. The previous version had an issue with a missing PHP extension in testing, but the plugin author fixed it quickly and sent out an update once I notified him of the problem.
Is it safe? You know, wordpress plugins and their vulnerabilities…