The iThemes Security Pro plugin just added a new way for you to lock down your WordPress site while making it easier for you to log in: Passwordless Logins.
iThemes Security Pro already offers several ways to secure user logins on your WordPress site:
- The Password Requirement feature prevents the use of a weak password.
- Using the built-in Have I Been Pwned database check, iThemes Security Pro makes sure the password hasn’t appeared in a known database breach.
- With iThemes Security Pro, you can require everyone to use Two-Factor Authentication when logging in.
Now iThemes Security Pro has a new login method that allows you to require users to use strong passwords and two-factor authentication without ever entering a password or an extra authentication code.
The Problem With Passwords
If you pay attention to the news surrounding cybersecurity, you have probably heard that all of the major tech companies are on a mission to kill passwords. At first, that may sound a little jarring. As long as there have been computers, we have used passwords to secure them. However, passwords by themselves are not a good way of proving identity, and we can do better.
Why? Password best practices are a hassle to implement and most users aren’t willing to add extra steps to the login process, even if it means verifying their identity in a more secure way. When given a choice, people will all choose convenience over security. The reason why 90% of Gmail users don’t use two-factor authentication is that it adds an extra step in their already busy day. Only 12% of people use a password manager because they are too tired to think about having to manage something else. According to research done by Google, using Two-Factor will prevent 100% of bot attacks and 99% of bulk phishing attacks. We understand why people don’t follow security best practices, but it doesn’t make it any less important.
New! Introducing a Better Way to Secure Your Site: Passwordless Logins
Passwordless login is a new way to verify a user’s identity without actually requiring a password to login. Passwordless login is both safe and simple, increasing the likelihood that the average person will secure their account. Passwordless logins lock down your accounts and are much easier to use than traditional credentials.
You may already be using a form of passwordless login without realizing it. For example, if you are using a thumbprint or Face ID to open your phone, you are using a form of passwordless login. Keep in mind that a passwordless login doesn’t necessarily mean a password isn’t assigned to the user. Your phone still requires you to set a password or a PIN, but you do not need to enter one every time you unlock your phone.
The Passwordless Login method provided by iThemes Security Pro will send you an email with a “magic link,” or a link that will log you into WordPress with a click of a button. This way, the passwordless login requires you to have access to the actual email account associated with the user, providing another layer of security.
Getting Started with WordPress Passwordless Login
From your WordPress dashboard, navigate to the iThemes Security Pro menu. You’ll see a new Passwordless Login module.
Enable the Passwordless Login module and then click the Configure Settings button.
From the settings screen, several settings are listed:
- Enable Passwordless Login – Enable to start using the passwordless login method.
- Passwordless Login Per-User Availability – By default, the passwordless login method is enabled for all users. Changing the default to disabled for all users will require every user to enable the method manually. Set the to Enabled by Default.
- Allow Two-Factor Bypass for Passwordless Login – The allow two-factor bypass option will give selected users to option to disable two-factor authentication when using the passwordless login method. Note: Users should only bypass two-factor authentication if they have also enabled two-factor authentication for the email account that will receive the Passwordless Login Link.
- Passwordless Login Flow – Choose what screen users see first in the passwordless login flow: Method First and Username First. We recommend setting the Passwordless Login Flow to Username First to allow users to send the Magic Link email in two steps. Here are screenshots of the two different Passwordless Login Flow screens for this settings option:
- Username FirstThe Username First screen allows users to enter their username and email address first before selecting the login method.
- Method First The Method First screen allows users to choose between the traditional Passwordless Login methods before entering a username or email address.
- Username FirstThe Username First screen allows users to enter their username and email address first before selecting the login method.
How the Passwordless Login Method Works
Now that we have enabled Passwordless Login, it is time to take it for a test drive. The first thing we see on our login page is a place to enter our username or password. Enter your username and then click the Continue button.
On the next screen, click the Email Magic Link button to send the email containing the passwordless login link.
You will now see a message confirming the email has been sent.
In your email inbox, open the Magic Link email and the Login Now button.
If you have previously enabled two-factor authentication, you will be asked if you want to Enable or Disable two-factor when using the passwordless login method.
If you choose to disable two-factor when using passwordless logins, you will now be able to log into your WordPress dashboard without entering a password or two-factor code.
Wrapping Up: Better WordPress Login Security with Passwordless Login + Free Ebook
Is sending a login link to my email address safe?
We only recommend using the Passwordless Login feature if you are using two-factor authentication on your email account.
That said, if a malicious actor has access to your email account, they can already tell WordPress to send an email to reset the password. Sending a login link isn’t adding any additional vulnerabilities to your site.
You can still require two-authentication when using a Magic Link to increase the security of the login method.
Who Should Use Passwordless Logins?
We created Passwordless Logins as an alternative to using a weak password and no form two-factor authentication. The goal is to increase adoption of 2fa and secure passwords to make the WordPress community safer.
With that in mind, Passwordless Logins are for people who want to increase the security of their site without sacrificing usability.
With Passwordless Login, WordPress security has never been easier! The New iThemes Security Pro Passwordless Login method lets you increase security without decreasing usability, which is a win for everybody.
We also have a new ebook that unpacks how to get started with passwordless login: Getting Started with Passwordless Login.
In this new ebook, you’ll learn more about the passwordless future and the different methods of passwordless login. We also cover how to add passwordless login to your WordPress website and wow the passwordless login method works in iThemes Security Pro.
Register for the Webinar: The Passwordless Future of WordPress
In this webinar, Michael Moore will explain why passwords are soon to be a relic of the past and why are all of the major tech companies trying to kill passwords. You will learn how to use the new iThemes Security Pro Passwordless Login method to increase security without sacrificing usability.
Thursday, Sept. 12
1:00 – 2:00 p.m. (CT)
Get the iThemes Security Pro Plugin Today
iThemes Security Pro, our WordPress security plugin, offers 30+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.
Get iThemes Security Pro
Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.
So anyone with the link would be able to access the site? Email is not the most secure thing out there… I regularly see clients who’ve had their email compromised due to inadequate passwords, etc. Am I missing something here in how this work?
Hi Nathan,
Thanks for the question! I have updated the Wrapping Up section to address your concern.
Can’t a URL be sniffed? Is this really a secure way to login?
Hi Tom,
Great question!
Yes, if there is an existing security hole that allows an attacker to intercept communication on your site, they could grab the URL and log into your site.
You can require two-authentication when using a Magic Link to increase the security of the login method.
However, this is just the first iteration of Passwordless Login, and we plan to add improvements!
I believe, all this does is move the responsibility to the email client. If the email client isn’t secured, this system is useless. So far, two-factor-authentication is the best and most convenient option. It does require a mobile phone as most of those apps are only available on mobile, but who hasn’t got a mobile?
I first experienced this solution on an app called Notion. It works on cookies and automatically logs me in for a preset period of time. After that it requires me to check my mail for a new login-code. This is the least secure I can think of and very inconvenient. I work on multiple computers, most without my email setup. So, I get my email on my mobile. As it is a link, it is very inconvenient to get the url into another computer.
Your solution is a clear no-go for me.
Cheers
John
Hey John,
Thanks for the feedback! I am glad that you have found the SECURE workflow that works for you! Security minded people like you make the WordPress community stronger. We have updated the Wrapping Up section to include our who we think should try out the Passwordless Login feature.
Version 6.1.1 breaks the site:
Fatal error: require_once(): Failed opening required ‘/wp-content/plugins/ithemes-security-pro/pro/magic-links/class-magic-links.php’ (include_path=’/usr/local/phpbin/PEAR/:./’) in /wp-content/plugins/ithemes-security-pro/pro/magic-links/active.php on line 3
Hi Henrik,
My apologies that you have run into an issue on your site. I would suggest reaching out to your support team to get some help troubleshooting the error.
https://members.ithemes.com/panel/helpdesk.php
how about using the WebAuthn standard?
the easiest way would be to login to your site by fingerprint or facecheck.
any plans from your side to add this real passwordless and emailless login?
all my best
thomas
Thanks for your useful guide. I want the magic links to expire after a given time. After that, users can’t log in to my site with the link anymore. Does this plugin support that?