Kill Passwords: How To Never Use a Password With WordPress Again

Are you tired of forgetting your password and sending reset emails? WordPress is everywhere and chances are that you have multiple sets of login credentials for your many WordPress sites. Keeping track of all of this login info can be maddening, especially if you’re a developer with hundreds of sites.

Imagine your life without passwords. Believe it or not, you don’t have to trade security for convenience.

Introducing LaunchKey: Your Ticket to Killing Passwords Forever

LaunchKey is a revolutionary new app that brings multi-factor user authentication to websites and apps. Because the use of insecure passwords can create a giant security hole in your WordPress site, many administrators are now opting for an alternative to password-based user authentication.

LaunchKey’s multi-factor authentication happens on your smartphone and/or tablet via the free LaunchKey app. This authentication includes the following three factors:

  • Possession Factor – Your mobile device is tied to you by virtue of your physical possession of the phone/tablet. This is the most difficult one for hackers to exploit.
  • Inherence Factor – LaunchKey offers an optional security feature called geofencing, which uses GPS on your device to make sure that it is physically located within one of the geographical zones that you authorize before authenticating a launch request
  • Knowledge Factor – Instead of using the traditional passwords for the knowledge factor, LaunchKey makes use of an in-app PIN lock and in-app Combo Lock with PINs and combinations that are encrypted and stored locally on the device.

As you can see, even though you simply swipe to log in, the multi-factor authentication makes the process much more secure than using passwords.

The LaunchKey WordPress Plugin

New WordPress login form with LaunchKey added

LaunchKey has just released its official WordPress plugin to bring its multi-factor user authentication to WordPress sites. To get your site set up you’ll need to activate the plugin and then install the LaunchKey app on your personal device. After you create a user/pair an existing account, you’ll need to “Create new app” within your LaunchKey dashboard for the site you’re wanting to add. Step-by-step instructions are included on the plugin’s installation guide.

The first time you log in there will be a pairing process and then once it’s fully set up, you’ll see the “Log In with LaunchKey” option at the bottom of the WordPress login form. From now on you can kiss passwords goodbye! The best part is that both the LaunchKey app and the WordPress plugin are free.

Changing your site to use multi-factor user authentication takes only a couple of minutes to set up with LaunchKey. Are you thinking about switching?

10 Responses

  • New Recruit

    Having secure access to passwords on a mobile device is great, however I find we do most administration tasks on our regular computers. That said, we love LastPass. There’s a free version as well as the Enterprise version we use in house. This gives us central control over all passwords in the company, and we can group them by employee job function. This allows us to generate unique secure passwords for every site, and revoke immediately if ever required. LastPass does have a mobile app to access your passwords on the go, and a plugin for WordPress specifically is not required. If you really need two factor authentication in WordPress, then perhaps LaunchKey may be a solution for those sites.

      • New Recruit

        I like to use KeePass for the same purposes. It has been great for generating secure login credentials, storing and organizing them, and entering them securely. On top of that, there is a portable version, which you can install on a usb drive (thumbdrive/jumpdrive), your smartphone, etc. You can even install the program on your computer, jumpdrive, phone, etc, but store the database in the cloud (it is encrypted).

        My question about actual vs. perceived security with LaunchKey (and I have just asked this, in their Helpdesk) is, when you pair LaunchKey with your WP Admin account, are you still able to access your account with just your username and password? Say, for example, you set up the geo-fencing feature, and you are out of the geo-fenced area but need to log in. If so, then your security is really still determined by your username/password. In which case, LaunchKey is not really increasing security, as much as providing another login option.
        Sarah – do you know the answer to this?

        Thanks!

        • New Recruit

          Hi Michael,

          In reference to your question, after pairing LaunchKey with your WP admin account, your WordPress username/password will still exists and you’ll still be able to access WordPress using your original WP credentials (as will all WP users). We do this to ensure you don’t unintentionally lock yourself out of WP upon plugin activation. As you correctly alluded to, in order to reap the full security benefits of LaunchKey you should get rid of passwords. While this is something an admin will have to do manually in this version of the plugin, future versions will allow admins and users to remove passwords automatically after pairing or via an option in the LaunchKey settings page.

          Also, while password managers like KeePass fulfill a service necessary in the password ecosystem we’re currently in, they simply can’t protect against any of the inherent weaknesses password-based authentication creates. A “good” password saved in KeePass doesn’t protect you against a site that doesn’t properly secure that password, nor does it protect you from common attack vectors like phishing or social engineering. Even if they somehow could protect you, the mere fact that password-based systems can be bypassed by a computer or user merely guessing the correct combination of characters invalidates the idea that passwords can ever be a valid form of authentication.

          Thanks for your feedback!

  • WPMU DEV Initiate

    You don’t access WordPress from your mobile device, you just authenticate with it. I talked to these guys at SXSW in March and I’m glad they’ve finally released their WordPress plugin. From the little bit I played with LaunchKey during their beta period, it looked to be even easier to use than Google Authenticator. For something that end users might eventually use, easy is a primary requirement.

  • New Recruit

    You guys are talking about keypass solutions as if this is solely intended to replace your password. This can be an additional layer of security, with some extra features thrown into the mix.

    As posted above, you still have to authenticate to your account when mapping the service to your profile. After that you can login with just a username and phone.

Comments are closed.