In the Feature Spotlight posts, we are going to highlight a feature in iThemes Security Pro and share a bit about why we developed the feature, who the feature is for, and how to use the feature.
Today we are going to cover Magic Links and Passwordless Logins, two great features in the iThemes Security Pro plugin.
iThemes Security Pro is great at locking out bad guys. However, if a bad guy used the username Bob in a brute force attack, and Bob is an actual user on the site, Bob would unfortunately be locked out along with the attacker.
The next time Bob tries to log in, he is met with the iThemes Security lockout message. If Bob is the site administrator, he would either have to wait for the lockout to expire or manually disable iThemes Security Pro via FTP.
If Bob is your client, he is likely to overestimate the seriousness of the lockout, and frantically reaches out to you, wondering why you let his site get hacked. This would require you to explain that this is evidence of you protecting their site and then clearing the lockout using Sync Pro or logging into the site and clearing the lockout from the iThemes Security widget to allow him to log in again.
Even though it feels great to stop bad guys from breaking into a site, we don’t like it when security affects real users’ experience. So, we wanted to create a way to allow Bob to login even when his username has been used in a brute force attack. We never want a site manager to have to spend their valuable time clearing lockouts.
What are Magic Links?
Magic Links allow you to log in to your WordPress site while your username is locked out by the iThemes Security Local Brute Force Protection feature.
When your username is locked out, you can request an email with a unique login link. Using the emailed link will bypass the username lockout for you, while brute force attackers are still locked out.
How to Use Magic Links in iThemes Security Pro
All you need to do to start using Magic Links is to enable them on the main page of the iThemes Security Pro Security Settings.
If you encounter a lockout after enabling Magic Links you will be presented with an option to send a Magic Link to your email address.
Simply click the “Send authorized login link” link to receive your Magic Links email.
Once you receive the email, use the link, enter your credentials and you will be back in your site!
By definition, every security measure is designed to decrease the convenience of whatever is receiving the added security. For added security, the front door of my house has a lock on it. The lock requires the extra step of using a key to unlock the door before it opens. Adding the extra step to enter my home is probably a good idea even though it would be easier without a lock.
The same goes for your online accounts. Using a strong, unique password and two-factor authentication will protect you from 100% of brute force attacks. Unfortunately, there are still many people reusing their same weak password and not using any form of two-factor.
Those of us in the security community often have a hard time understanding why it was so hard to convince people to sacrifice a little convenience to gain a huge amount of security. We don’t even think about having a unique lock for each physical door we enter–I have a key for my car, wife’s car, house, office, and mailbox–so, why does using a unique password on our virtual door seems so inconvenient?
Why Did We Develop Passwordless Logins for WordPress?
We in the security community have started to realize that we have always made security more confusing than it needs to be. Once you have a key for a physical door, you are done. However, with password security, we have made a bunch of rules that can be overwhelming. To make matters worse, it doesn’t seem like we can agree on what the rules for creating a strong password should be.
Whether we in the security community want to admit it or not, using a password manager and two-factor authentication can be a pain and time consuming, especially as we move more and more of our lives online.
So we wanted to create a way for people to get all of the security that a strong and unique password provides without sacrificing the usability.
What are Passwordless Logins?
Passwordless login is a new way to verify a user’s identity without actually requiring a password to login. We took the idea of the Magic Links and evolved it into a new login method that allows you to require users to use strong passwords and two-factor authentication without ever entering a password or an extra authentication code.
How to Use Passwordless Logins
To get started using Passwordless Logins, enable the module on the main page of the security settings.
Enable the Passwordless Login module and then click the Configure Settings button.
In the Passwordless Login settings, be sure to select which users can use the login method and bypass two-factor when using the method.
Now that you have enabled Passwordless Logins, you can enforce strong passwords and two-factor requirements without negatively impacting the experience for the users on your site.
How the Passwordless Login Method Works
When logging in you will be asked to choose a login method. Click the Email Magic Link button to send the email containing the passwordless login link.
You will now see a message confirming the email has been sent.
In your email inbox, open the Magic Link email and the Login Now button.
And that is it, no entering of a password or two-factor token. This means that once you enable Passowordless Login, you don’t have to know your complicated password or copy and paste an extra code to login. However, those bad guys trying to brute force your site will have a 0% success rate.
As you can see, both Magic Links and Passwordless Logins in iThemes Security Pro can add a strong layer of security to your site without any added inconvenience.
Don’t miss the next edition of iThemes Security Pro feature spotlight. We are turning the spotlight on Trusted Devices, a great tool to protect your WordPress admin and to prevent session hijacking.