Jump to content

Welcome to the forum:

Welcome to the iThemes forum. We've created several tutorial video's to help you get you started with using the forum, please check them out!

Also take note of the forum guidelines.

Support hours:

Our moderators actively respond to forum support requests during normal business hours which are Monday-Friday, 8am - 5pm Central Standard Time, typically within one business day. Although some moderators choose to work during the weekends, we can not guarantee immediate attention to your requests. Thanks for understanding.

What is included with support:

Premium support includes theme/plugin issues such as: bugs encountered under normal operation, how to use basic features, basic WordPress help, and basic help with customization (meaning we point you to resources and will help in more depth as time allows). More information.

Ithemes Security 2 Factor

security 2Factor strong password

This topic has been archived. This means that you cannot reply to this topic.
No replies to this topic

#1 Guest_Bill B_*

Guest_Bill B_*
  • Guests

Posted 06 May 2014 - 09:54 PM

The iThemes pruct is really good. I am debating paying for pro, mainly for the 2 Factor feature. However, as a security professional myself (specialize in 2 Factor), I am surprised that this is only going to support one time password codes. I have a couple of issues with this, and anyone serious about security would.

a) One time password codes are vulnerable, especially on mobile or SMS. This is fie, bu to mitigate this, you should let the customer choose their target source for authentication (Symantec VIP, Google Authenticator, their own). given that I have zero idea about how o where your auth service is located, what policies are in place, it is meaningless to me. Is your auth server in a garage in Russia? I have no idea.You may want to just implement VIP and let people get a mobile app/device from them or take the Yubico route leveraging U2F.
B) Ideally i would like the option to use certificates and smart cards. You should let customers, for a fee, let them define the OCSP their cert/card can authenticate to,.

I think otherwise you are going to be pretty outdated fairly soon for a variety of reasons, despite some similar approaches in the market, will be driven to mature.

thanks for listening.