Passwords suck. In theory, they’re an excellent way of verifying identity, provided a few fairly simple rules are followed. In practice, most users follow almost none of those rules, which undermines any identity validation and security functions that passwords are supposed to provide. Users tend to choose simple passwords that are easy to remember and easy to hack.
A recent study showed that 95% of sites can be compromised using freely available password dictionaries. Since WordPress is particularly targeted by botnet owners looking to compromise sites – more as a result of its popularity than any particular vulnerability in WordPress — it’s time that site owners who are serious about security look beyond the password.
A simple password login system is a one-factor identity verification method. Adding additional factors significantly increases the level of site’s security. Multi-factor authentication is available in a variety of forms. You might be familiar with Google Authenticator, which has a WordPress plugin and is available for wide range of mobile devices. The idea here is that a second factor, something the user has, is added to the usual password, which is something the user knows. The app generates a code that is used in addition to the password.
While Google Authenticator is a great way to get multi-factor authentication on a WordPress site, a new service called LaunchKey, which is currently in public beta, offers a wider range of authentication factors.
LaunchKey does away with passwords altogether in favor of various authentication factors associated with mobile devices. Much like Google Authenticator, the first of these factors is possession. While it’s possible for smartphones and tablets to stolen, without the device in hand, hackers can’t compromise a site, making it much harder for them to gain access than an insecure password.
LaunchKey goes beyond Google Authenticator in offering two additional authentication factors. Firstly, the service uses an inherence factor, also known as ‘something the user is’. Because of the unreliability of current biometric authentication techniques like fingerprint scanners, the service instead takes advantage of the ubiquity of GPS and uses geofencing as a factor. LaunchKey users can limit access to those who are within a predetermined geographic area: an office or home for example. If the smart device is stolen, it’s unlikely that the thief will attempt to access a site using the device from the location in which it was stolen.
Secondly, LaunchKey provides a knowledge factor. Passwords are the traditional knowledge factor, but LaunchKey puts a slightly different spin on this and instead uses a PIN lock, or what they call a combo lock. The idea behind a combo lock is similar to the rotary lock on a safe, using a unique combination of circular motions instead of a simple code or other gesture.
The combination of these three authentication factors leads to a site that is considerably more difficult to compromise than one using just a password, no matter how secure that password is.
If you’re interested in giving a LaunchKey a go, you’ll need the WordPress plugin and one of their mobile apps, which are available for iOS and Android.
