The iThemes Security Pro plugin just added a new way for you to lock down your WordPress site while making it easier for you to log in: Passwordless Logins.
iThemes Security Pro already offers several ways to secure user logins on your WordPress site:
- The Password Requirement feature prevents the use of a weak password.
- Using the built-in Have I Been Pwned database check, iThemes Security Pro makes sure the password hasn’t appeared in a known database breach.
- With iThemes Security Pro, you can require everyone to use Two-Factor Authentication when logging in.
Now iThemes Security Pro has a new login method that allows you to require users to use strong passwords and two-factor authentication without ever entering a password or an extra authentication code.
The Problem With Passwords
If you pay attention to the news surrounding cybersecurity, you have probably heard that all of the major tech companies are on a mission to kill passwords. At first, that may sound a little jarring. As long as there have been computers, we have used passwords to secure them. However, passwords by themselves are not a good way of proving identity, and we can do better.
Why? Password best practices are a hassle to implement and most users aren’t willing to add extra steps to the login process, even if it means verifying their identity in a more secure way. When given a choice, people will all choose convenience over security. The reason why 90% of Gmail users don’t use two-factor authentication is that it adds an extra step in their already busy day. Only 12% of people use a password manager because they are too tired to think about having to manage something else. According to research done by Google, using Two-Factor will prevent 100% of bot attacks and 99% of bulk phishing attacks. We understand why people don’t follow security best practices, but it doesn’t make it any less important.
New! Introducing a Better Way to Secure Your Site: Passwordless Logins
Passwordless login is a new way to verify a user’s identity without actually requiring a password to login. Passwordless login is both safe and simple, increasing the likelihood that the average person will secure their account. Passwordless logins lock down your accounts and are much easier to use than traditional credentials.
You may already be using a form of passwordless login without realizing it. For example, if you are using a thumbprint or Face ID to open your phone, you are using a form of passwordless login. Keep in mind that a passwordless login doesn’t necessarily mean a password isn’t assigned to the user. Your phone still requires you to set a password or a PIN, but you do not need to enter one every time you unlock your phone.
The Passwordless Login method provided by iThemes Security Pro will send you an email with a “magic link,” or a link that will log you into WordPress with a click of a button. This way, the passwordless login requires you to have access to the actual email account associated with the user, providing another layer of security.
Getting Started with WordPress Passwordless Login
From your WordPress dashboard, navigate to the iThemes Security Pro menu. You’ll see a new Passwordless Login module.
Enable the Passwordless Login module and then click the Configure Settings button.
From the settings screen, several settings are listed:
- Enable Passwordless Login – Enable to start using the passwordless login method.
- Passwordless Login Per-User Availability – By default, the passwordless login method is enabled for all users. Changing the default to disabled for all users will require every user to enable the method manually. Set the to Enabled by Default.
- Allow Two-Factor Bypass for Passwordless Login – The allow two-factor bypass option will give selected users to option to disable two-factor authentication when using the passwordless login method. Note: Users should only bypass two-factor authentication if they have also enabled two-factor authentication for the email account that will receive the Passwordless Login Link.
- Passwordless Login Flow – Choose what screen users see first in the passwordless login flow: Method First and Username First. We recommend setting the Passwordless Login Flow to Username First to allow users to send the Magic Link email in two steps. Here are screenshots of the two different Passwordless Login Flow screens for this settings option:
- Username FirstThe Username First screen allows users to enter their username and email address first before selecting the login method.
- Method First The Method First screen allows users to choose between the traditional Passwordless Login methods before entering a username or email address.
How the Passwordless Login Method Works
Now that we have enabled Passwordless Login, it is time to take it for a test drive. The first thing we see on our login page is a place to enter our username or password. Enter your username and then click the Continue button.
On the next screen, click the Email Magic Link button to send the email containing the passwordless login link.
You will now see a message confirming the email has been sent.
In your email inbox, open the Magic Link email and the Login Now button.
If you have previously enabled two-factor authentication, you will be asked if you want to Enable or Disable two-factor when using the passwordless login method.
If you choose to disable two-factor when using passwordless logins, you will now be able to log into your WordPress dashboard without entering a password or two-factor code.
Wrapping Up: Better WordPress Login Security with Passwordless Login + Free Ebook
Is sending a login link to my email address safe?
We only recommend using the Passwordless Login feature if you are using two-factor authentication on your email account.
That said, if a malicious actor has access to your email account, they can already tell WordPress to send an email to reset the password. Sending a login link isn’t adding any additional vulnerabilities to your site.
You can still require two-authentication when using a Magic Link to increase the security of the login method.
Who Should Use Passwordless Logins?
We created Passwordless Logins as an alternative to using a weak password and no form two-factor authentication. The goal is to increase adoption of 2fa and secure passwords to make the WordPress community safer.
With that in mind, Passwordless Logins are for people who want to increase the security of their site without sacrificing usability.
With Passwordless Login, WordPress security has never been easier! The New iThemes Security Pro Passwordless Login method lets you increase security without decreasing usability, which is a win for everybody.
We also have a new ebook that unpacks how to get started with passwordless login: Getting Started with Passwordless Login.
In this new ebook, you’ll learn more about the passwordless future and the different methods of passwordless login. We also cover how to add passwordless login to your WordPress website and wow the passwordless login method works in iThemes Security Pro.
Register for the Webinar: The Passwordless Future of WordPress
In this webinar, Michael Moore will explain why passwords are soon to be a relic of the past and why are all of the major tech companies trying to kill passwords. You will learn how to use the new iThemes Security Pro Passwordless Login method to increase security without sacrificing usability.
Thursday, Sept. 12
1:00 – 2:00 p.m. (CT)
Get the iThemes Security Pro Plugin Today
iThemes Security Pro, our WordPress security plugin, offers 30+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.
Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.