Many WordPress users were disappointed to hear that two-factor authentication provider Clef is shutting down. Clef was popular with WordPress site owners because it let them add an extra layer of security to their site without the complexity associated with other two-factor authentication systems. With over a million installations, the loss of Clef was a serious blow to WordPress site owners.
In March, the team behind the UpdraftPlus backup service announced that they planned to step into the space vacated by Clef. Their brand new two-factor authentication service, Keyy, is now live, and it has many of the same features as Clef.
For those who are unfamiliar with two-factor authentication, it allows site owners to demand an identifying credential in addition to the usual username / password combination. Username and password combinations can be very secure, but in the real world they tend to be a liability. Users often fail to choose a secure password, they may use the same password on more than one site, or otherwise make the life of criminals easier than it should be.
To take a common example, simple passwords can often be quickly cracked by brute-force bots. Many WordPress sites are compromised because an admin user picked “pa55word” as their password, or an equally guessable combination.
The second factor of authentication is typically associated with an item in the possession of a user: a smartphone or dedicated device that displays a one-time code. In addition to their username and password, the user has to enter the code presented to them by the authenticated object in their possession.
It’s much harder for attackers to compromise a site using two-factor authentication, but many users find the process of logging in with two-factor authentication overly burdensome. Clef, on the other hand, was supremely easy to use, as is Keyy.
With Keyy, users don’t have to enter usernames, passwords, or one-time codes. Instead, when they are ready to log in, users are shown a graphic which they scan with the Keyy app on their phone. Keyy works in essentially the same way Clef did. The app on the user’s smartphone creates a public key pair, the private part of which remains on the device, while the public key is shared with Keyy’s server. When the user wants to log in, the Keyy service generates an image tied to the session. The app scans that image and signs it with the private key before sending it to the Keyy servers, which verify the user has possession of the private key and logs them in using OAuth.
Clef provided other services like single-sign on, which aren’t available yet with Keyy, but the company plans to launch an SSO service in the coming months.
It’s worth mentioning that Keyy is a very new service, and it may be subject to the occasional glitch as the team works out the kinks. But it’s great to see an established and sustainable WordPress company with a track record of successful WordPress services step up to provide such an important security service.