Email-Based Two-Factor Authentication Update – No More Login Links

By 4th August 2017News, WordPress Security

This is a quick explanatory update on our Shield Security plugin for WordPress.

We’ve been providing email-based two-factor authentication (2FA) for a looong time. And recently we’ve received some feedback about the placing of a direct-login link within the email that is sent out.

Before we completely rebuilt the 2FA system, this was a requirement. Now, however, using the newer 2FA portal means that a direct login link isn’t the ideal solution.

How Shield’s Two-Factor Authentication Portal Works

With the portal you’re prompted to enter any or all of your 2FA codes to confirm your login. If you have turned on email-based 2FA, then you’ll get an email with both the code you need, and also a link.

This link will do 1 of 2 things:

  • if you have 2 or more factors that are required, then it’ll pre-populate the portal with your code #neat
  • if email is your only 2nd factor, it’ll log you straight into the site automagically #super-neat

The problem arises with the 2nd option. If a 2-factor email is sent out and intercepted, then the unwelcome visitor wins with a direct link right into your WordPress admin.

The chances of this are slim for 2 reasons:

  • the two-factor portal has a 5 minute window. If you miss it, you have to start your login from scratch.
  • the link can only ever be used once.

But the chance, however slim, remains. So what is the next step?

Decision: Remove The Automatic Login Link

The link is really convenient, but we feel that there is little/no inconvenience in copy-pasting the code into your login portal.

So from Shield v5.12.2 we’ve removed the link from the outgoing two-factor email. You will now have to copy-paste the code into the portal directly.

We apologise if this is a problem for you, but we hope you’ll understand the reason behind it.

Thanks!

Join the discussion 3 Comments

  • anonymous says:

    Thanks for doing this. The link was never a good idea. A bit concerned that you didn’t get it before

    View Comment
    • Paul G. says:

      The link was actually a grand ol’ idea, but there is a window within which it could be exploited, if email was the only 2nd factor.

      Frankly, we don’t see too much of an issue with the email link since it would need to be a highly targeted attempt at infiltration, and the vast majority of hacks are very far from being targeted.

      But the slight risk remains which is why we removed it in the end.

      Improvements, adjustments and taking on feedback shouldn’t make you feel concerned.

      Thanks for your comment! 🙂

      View Comment
  • Sreekant Unnithan says:

    Thank you, Paul for suggesting an idea on how to remove link from outgoing two-factor email with shield v5.12.2. Going to implement the solution.
    Keep writing the good content and updating us with the changes needed.

    View Comment

Leave a Reply