This is a plugin for WordPress that provides multifactor authentication with one-time passwords using the Yubikey USB token.
The plugin uses the Yubico Web service API in the authentication process.
The one-time password requirement can be enabled on a per user basis.
Unzip plugin into your /wp-content/plugins/ directory.
Enter Key ID on the Users -> Profile and Personal options page.
Enter Yubico ID & API key on the Settings -> Yubikey options page.
Id/key confused ? Well the Key ID is the first 12 chars from the output Your Yubikey generates,
they don’t change, the Yubico ID and API Key is used when communicating with the Yubico authentication server.
FAQ
How much does the Yubikey cost ?
A single Yubikey is $40
Are there any special requirements for my WordPress/PHP installation ?
PHP5 with Hash & Curl libs enabled.
I have a lot of users on my WordPress installation, do they all need Yubikeys ?
On some WP sites it works, but on others it doesn’t work. Must be a ‘conflict’ somewhere. Too bad there is no logging to see where it goes wrong. As soon as I rename the woo-yubi folder, to disable the plugin, I can login again.
at first i wasnt’ sure who i can trust. i mean this plugin is written by a stranger, not yubikey. So i got my unique api key from yubikey.co and installed it. Entered it into the plugin. enabled the user from user/profile, plugged in my key to generate a key, saved, logged out and logged back in and it worked. I tried any NON enabled user and of course did not enter a key via my key and got in. So here’s my test that this plugin author is actually communicating with yubikey.co, I changed just one letter in my api id and tried logging in, and i could NOT. Soo… this tells me that it’s trying to communicate with yubi apparently to authenticate, otherwise it would not know. Alternately, i could have deleted my api key from yubikey.co to test. regardless, it works seamlessly. I’m using WP 5.8.6
It appeared on the login screen but then caused login to fail “Incorrect Username or Password”. I had to delete the plugin folder from the server to get in to my WP admin. I’m new to Yubikey so the error could be in how I use my new keys (though I added them both to the WP admin profile and the Yubikey API to the plugin settings page). I love the idea – wish it would work for me.
Thanks for an amazing plugin. Hopefully the maintainer is looking and will update things to show they are tested as working with WP 5.4, since it does.
So nice to have the possibility of adding an extra layer of security to WordPress admin panel. Plugins is working perfect with version 5.3.2. I encountered some semantic issues, thus, using in WordPress “Yubico API ID and Yubico API key” vs “Client ID and Secret Key” on Yubico’s site, not important.
Exactly what I was looking for. Just install, activate it and get/insert an API Key (which can be obtained in seconds).
Subsequently every user can manage the Yubikey-Settings right in the profile.
Nothing more, Nothing less.