WordPress two-factor authentication with low-cost YubiKey USB token

WordPress is a versatile platform used by a large number of bloggers worldwide. This article will show you how to power up your WordPress installation with a low cost two-factor authentication mechanism. For setting this up, I will be using YubiKey, a small USB token produced by Swedish based Yubico. The main benefits of this device are small size, ease of use and the price.

If you are buying upto 9 units of YubiKey, you will pay just $25 per device. For larger volumes the prices can go down to $10 per piece. Help Net Security staffers met with Yubico during the RSA Conference 2009 in San Francisco and we got a hold of a couple of YubiKeys. The device doesn’t need any client software and everything is done through third party services that are connecting to the Yubico Web Service APIs. Because of this, there are hundreds if not thousands different ways of using YubiKey at this moment. The photo above shows YuiKey connected to a Apple Mac notebook – I tested the device on both Mac OS X as well as different Windows computers and the functionality was absolutely the same.

Successfully installing YubiKey to work with your WordPress blog will take you about 5-10 minutes, which is a fast way to step up your login security from just a password to two-factor authentication.

Step 1: Download and install YubiKey-plugin
Danish developer Henrik Schacks coded a YubiKey plugin for WordPress. Your PHP installation should have the Hash and Curl libraries enabled, otherwise this plugin won’t work. These are usually enabled by default in almost every PHP installation. You can download the YubiKey-plugin from the WordPress repository, but it is easier to do it through your admin interface – by searching the plugins for the term “Yubico”.

Please note that you will need at least WordPress version 2.5.0 or higher. I tested it on the current version at the time of this writing – WordPress 2.7.1.

Step 2: Create your own Yubico ID and API Key
The API key is used to optionally sign the one time password (OTP) validation request and to verify the OTP validation response. To get an API key, you should go to the following address:

At the above link you will find an online API key generator. It will assign you an ID and create a shared key. You can use the shared key to authenticate that the API responses do in fact come from Yubico.

Punch in your email address and use your mouse to click in the “YubiKey OTP” form field. When this field is active in your browser, do press the circle button on the YubiKey USB unit. It will automatically punch in a series of characters and submit the form.

You will be presented with your Yubico ID and API Key.

Now you are ready to go to finalize the setup process within your WordPress administration interface.

Step 3: YubiKey plugin options
First, you will need to activate the plugin if you already didn’t do it earlier. In the Settings menu, you will now see a YubiKey option.

By clicking this link, YubiKey plugin options will open and you’ll need to enter the Yubico ID and API Key that was given to you in yhje previous step.

Step 4: Edit your user details

In the last part of the YubiKey integration, you will need to open the “Your profile” settings and edit the user profile. Just select the radio button that says “Use Yubico server” and use your mouse to click in the “Key ID” field. When this field is active in your browser, please once again press the circle button on the YubiKey USB unit. After this step is finished, save your settings and log-out of the interface.

YubiKey two factor authorization in action
By opening the WordPress administration login screen, you will see another password field called “YubiKey OTP”.

You need to enter your username, password and when you click in the YubiKey field press the circle button on the device and voila, you will be securely authorized. No one without you YubiKey device will be able to login, even if they sniff out your YubiKey character code – it is just a one time password.

Don't miss