Dailies
- Beast or Buddha
- Caoine
- Echoica
- Jina Bolton
- Lifehacker
- Overclockers Australia
- RiskAnalys.is
- Rory.Blog
- Schneier on Security
- Security Catalyst Community
- Security Ripcord
- Securosis.com
- Slashdot
- Whirlpool
Photos
Categories
- Books
- Computers
- Family
- Forensics
- General
- GTD
- Movies
- Music
- Privacy
- Profession
- Risk
- Security
- University and Studies
- Web Development
Monthly archives
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- December 2006
- June 2006
- May 2006
- April 2006
- March 2006
- August 2005
- July 2005
- June 2005
- May 2005
- April 2005
- February 2005
- October 2004
- September 2004
- August 2004
- July 2004
- June 2004
- May 2004
- April 2004
- March 2004
- February 2004
- January 2004
- December 2003
- November 2003
- October 2003
- September 2003
- August 2003
- July 2003
- June 2003
- May 2003
- April 2003
- March 2003
- February 2003
- January 2003
- December 2002
- November 2002
- October 2002
Search
Two-Factor For All
…almost.
So, in the spirit of bringing ubiquitous two-factor authentication closer to the masses (because excuses are disappearing) I spent a few hours hacking together a Wordpress hack (plugin) that integrates Twitter’s direct message capabilities to provide a one time PIN when you log in to your Wordpress administration screen. The intent being that direct messages get sent to your mobile via SMS, hence SMS one time PIN generation, mimicking SMS PIN authentication as used by financial institutes.
Of course, by using this hack you introduce a number of dependencies, primarily that being Twitter’s service itself which doesn’t have a great track record, but also your mobile phone’s network. In addition, the fact that it is a hack, not a plugin, is also potentially a pitfall. The last issue is because I don’t actually know how to write a Wordpress plugin properly. Not for lack of trying, I can’t help it that one of the “pluggable” functions in Wordpress didn’t want to be overloaded. In fact, I’m not entirely sure that functions in version 2.6 can be overloaded(?).
I also have to admit that whilst the motivation is to introduce a second factor of authentication, such as a thing you know (your password) and a thing you have (your mobile phone), by using Twitter’s services you don’t actually need a mobile phone to get your PIN. So if you check your direct messages via the web interface, it’s actually a one-by-one factor authentication, not really two-factor, and we all know what 1 x 1 equals don’t we? But you get the point.
In regards to the good work done on the Phonefactor plugin I just want to comment that I was half way through this hack when I read about Phonefactor and it didn’t support calling Australia, so that meant I was out. The quality of their work is great though.
I’ll release the details soon..
Posted by Christian 
4 August 2008
7 Responses to “Two-Factor For All”
Gillis Says:
August 5th, 2008at
3:54 am
Alternatively, for the phonefactor verification you could use something such as skype;grandcentral,or some other VOIP websolution so that you get around the “cant call to australia” problem.
@Gillis Yeah I’m aware of some methods to get around the Phonefactor to Australia problem. I was just having too much fun tinkering with Wordpress :D
Gillis Says:
August 5th, 2008at
8:54 pm
@Christian I actually really enjoy reading about what you did- Great Idea; Does it work in practical implementation?
@Gillis Lets just say that it’s been working for past few weeks, including just then when I logged into to approve your comment :D
Of course, I’m awaiting the all too familiar “fail-whale” (http://failwhale.com/) to show me who’s boss!
Alex Says:
August 26th, 2008at
4:23 am
That is the most awesome thing I’ve ever heard of. An AIM (Skype/whatever) bot would be interesting, too.
Can’t wait to try the plugin.
@Alex Twitter USED to have an Aim/GChat bot. But I think it died, just like the Australian Twitter SMS functionality. And seriously, this is more a hack then a plugin :P
un-excogitate.org » Blog Archive » Wordpress Twitter 2FA Plugin (*cough* hack *cough*) Says:
November 6th, 2008at
7:23 pm
[...] a few months ago I mentioned that I’d been working on a plugin (more what I’d like to call a hack, please anyone out [...]
Post A Comment