Instead of using a username/email and password to login to WPMUDEV Dashboard in WP, how about this?

Hey folks,

Suggestion #1 What do you think about allow us to create API keys for the purposes of using it for our password? We could also create multiple ones on the fly (similar to some SMTP services out there for example). Then, if we need to deactivate one for x reason it would not affect the others?
For example, like this http://screencast.com/t/9lAyjfU2G and this
http://screencast.com/t/yUjmojyrm to give you a idea of what I mean more.

and

Suggestion #2: This one may be more advanced but not sure. But, wanted to see if it is possible (but you would first have to implement #1 above for this to be applicable of course). As mentioned some SMTP service to just this. AWESOME for security cause we would not have to expose our username or password etc. Some are able to now not require usernames to be typed in the WordPress admin areas if using a API key as a password. So, for more security so we would not even have to put in our usernames in WordPress, what do you think of this? See http://screencast.com/t/MrIvwQBa (it is basically a username injection based on the API call).

Very interested to see your feedback on this one . . .

:slight_smile:

Greg

  • Luís

    Hi Greg ,

    Hope you're doing well today!

    Honestly, I am not sure about the requirements to implement something like that (advantages vs disadvantages).

    But what is in the base for these suggestions? The possibility to create multiple WPMU DEV accounts, to share with your clients, so they can access to the WPMU DEV dashboard with their own account instead of your account?

    Avoid inserting the username and password in the WordPress admin dashboard?

    Cheers, Luís

  • Greg

    Luís

    I have seen SMTP services do the api key implementation and username implementation injection and thought it would be great for security.

    1. For security and ability to not expose our usernames on multiple WP installs (via other future admin users or hackers etc) . . . they would not have the username of our login credentials (keeps it secured on non-exposed). When removing a site from the wpmudev website that removed the login on the WP site (which is great) but it still exposes our usernames. So, it just makes good sense to do if possible. After all half the battle is knowing the username of any login credential ya know . . . smile.

    2. Having different api keys would allow for us to have different keys for different reasons that people may want to have for their clients or their own sites etc. So, if one group has 5 sites, then we could revoke a api key and thereby deactivate multiple sites in one click verses effect all the sites (cause right now we only have one api key). We are talking about using a api key for the password to login.

    I am sure there are other use cases for both . . . generally, with the advent of api keys I am seeing a trend of people using them to secure login credentials in many different types of apps (along with giving more control over who is given access to what etc).

    3. Also, having control over the username and password via api key all helps in case we do not have access to a particular WP site any longer. We can remotely remove access and not expose our username.

    4. There is also the thought some admins or hackers gaining access to all our account information with wpmudev in the dashboard area to see our account info, credit card info, communications, ability to open threads without us knowing etc too. I know, a little more remote but pretty easy to do.

    So, this is forward-thinking (especially in light of future security issues).

    :slight_smile:

    To more security and forward-thinking,

    Greg

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.