Passwords are not a great authentication method — a point that’s been made many times, not least by me on this blog. Passwords are great in theory, but in practice, when users are asked to choose and manage strong passwords, they don’t. They choose easy-to-remember and hence easy-to-guess passwords. And they use the same password on many different sites. Both behaviors are a gift to online criminals targeting WordPress sites.
The best way to make passwords secure is to couple them with another factor of authentication. Often that takes the form of a code created by an app like Google Authenticator or Authy on a mobile device. Users are asked to enter their password and a number generated by the app. Only by entering the number and proving they have possession of the device are they given access to the site. This system works and it’s much more secure than a password alone, but a new two-factor authentication system from Clef aims to make the process even easier.
Like most two-factor authentication services, Clef uses possession of a mobile device as an authenticating factor. Unlike most two-factor authentication systems, it doesn’t ask the user to enter a number or even a password. Instead, the WordPress login system will display a special animation at which the user points the camera on their device. The image is unique, and when it’s recognized by the Clef app on the mobile device, the user is logged-in. The app leverages Apple’s Touch ID fingerprint system as the other factor of authentication — to login, the user must authenticate to the mobile device with a fingerprint and prove that the device is in their possession. If users don’t have a mobile device with Touch ID, the system will fallback to a PIN for verification.
Clef provides a WordPress plugin that makes integration of the service into WordPress sites quite straightforward. The service is free for the first 10,000 logins per month.
It’s worth discussing why TFA needs to made easier. Entering an additional number isn’t all that taxing, but any additional complexity in the registration or login process for a site reduces conversions. Clef’s main marketing thrust is focused on the way its system can improve registration conversion rates without compromising on security. Users don’t have to remember a password, but the login process is considerably simplified.
In addition to TFA, Clef’s service includes a couple of other handy security features. The company uses data from the user’s device, location, and usage information to filter out fraudulent and abusive login attempts. Clef also implements a clever system called True Logins which attempts to limit the success of phishing attacks — a common tactic of online criminals in which a fake site is created in an attempt to harvest login credentials.
Clef is a novel approach to two-factor authentication on WordPress. Its developers have managed to create an authentication system that improves on passwords without asking too much of users.