Securus Yubikey Two Factor Authentication

Securus adds Yubikey 2nd Factor Authentication to WordPress with a simple plugin.

WordPress

Wordpress Obviously to install a WordPress plugin you will first need WordPress. We recommend using the latest version available.

Yubikey ( Yubikey Neo Recommended )

Yubikey Neo

Yubikey Neo
Yubikey Neo will work for devices that have a functional USB port and devices that support NFC (Near Field Communication) (RFID).With the Neo you will be able to use the Yubikey on supported Mobile devices. Something you cannot do with the Yubikey Standard.

Yubikey Standard

Yubikey Standard
Yubikey Standard will work for devices that have a functional USB port (desktop, laptop, etc.).Yubikey Standard will not work on mobile devicesĀ that do not have a USB portĀ (smart phones, tablets, etc.). See Yubikey Neo.

Free YubiCloud API Registration (Admin only) – FREE YubiCloud at Yubico.com

You need to register with Yubico YubiCloud API Service in order to use this plugin! Registration is free and super easy. You will need to create a FREE YubiCloud API account at Yubico.com. An email address and a Yubikey are all that are needed!

PHP Functions

Most commercial servers have both these functions enabled and available. You must have the curl PHP Function available in order to use Securus. You will need the PHP hash_hmac function to verify YubiCloud response. Hash Mac is not required if communicating with YubiCloud via HTTPS, though, it is always recommended to verify the response.

WP Upload Installation

To install a WordPress Plugin with the WP Uploader:

  1. Download your WordPress Plugin to your desktop.
  2. Do NOT decompress the zip archive.
  3. Read through the “readme” file thoroughly to ensure you follow the installation instructions.
  4. Go to Plugins screen and click Add New. Click Upload Plugin (same location as Add New button).
  5. Click Choose File and navigate to your desktop where you downloaded the plugin. Select it and upload.
  6. Click Activate Plugin to activate it.

 

FTP Installation

To install a WordPress Plugin manually via FTP:

  1. Download your WordPress Plugin to your desktop.
  2. If downloaded as a zip archive, extract the Plugin folder to your desktop.
  3. Read through the “readme” file thoroughly to ensure you follow the installation instructions.
  4. With your FTP program, upload the Plugin folder to the
    wp-content/plugins folder in your WordPress directory online.
  5. Go to Plugins screen and find the newly uploaded Plugin in the list.
  6. Click Activate Plugin to activate it.

 

Securus Plugin Settings Menu

Securus Plugin Settings Menu

To setup Securus

  1. Login to your WordPress Site as Admin.
  2. Hover over the Settings menu item and select Securus
Securus Admin Settings

Securus Admin Settings

Securus Global Settings

After you register a YubiCloud API account at Yubico.com you will be issued an API ID and API Key. Those are the first to fields on this page.

  1. Yubikey API ID – Received from YubiCloud Registration
  2. Yubikey API Key – Received from YubiCloud Registration
  3. Default Server – Select a server that is closest to you.
  4. API Over HTTPS (SSL) – You should always communicate with YubiCloud over HTTPS (SSL) but if for some reason you cannot, you can disabled it here. If disabled, your server will communicate with the YubiCloud server over a standard HTTP (unsecure) connection.
  5. Verify Yubikey Response – YubiCloud sends back a hash when it validates a Yubikey. We can use this hash to ensure that the response from YubiCloud has not been tampered with.
  6. Mobile Devices – What should Securus do when it encounters a mobile device? Mobile devices generally don’t have USB ports to plug in your YubiKey. If the user has a Yubikey NEO, with OTP via NFC then it’s no big deal. If a user has a standard Yubikey that requires a USB port, what should Securus do?
    • Require Yubikey – Users that have Securus enabled but do not have a Yubikey Neo and a NFC compatible device will be locked out!
    • Disable 2 Factor Auth – This will disable Securus for mobile devices*.
    • Users Choice – let each user choose how to handle mobile devices via their profile.
  7. Requirements Test – This plugin uses a PHP function cURL to communicate with Yubico. This function must exist in order for the plugin to work. The PHP Hash HMAC function is required to verify the response from YubiCloud. If this function is not available, responses will not be verified.

Your Profile Menu

Your Profile Menu

To setup your profile

  1. Login to your WordPress Site as your User.
  2. Hover over the Users menu item and select Your Profile.
Securus Profile Settings

Securus Profile Settings

Your Profile Settings

Setup Securus so that your account requires a Yubikey OTP

  1. Securus Authentication – Enable or Disable 2 Factor Authentication.
  2. Yubikey Server – If you are experiencing a slow response, you can change the YubiCloud server to a different one.
  3. Key IDs – You can have up to 3 Yubikeys attached to your account. At the very least, one key is required in order to login with one touch. The other two keys are optional.
  4. Mobile Devices – What should Securus do when it encounters a mobile device? If you have a Yubikey Neo setup to send an OTP via NFC and a NFC compatable device – choose Require Yubikey. If you don’t meet all the conditions – you will have to Disable 2nd Factor Auth for mobile devices.
    • Require Yubikey – Users that have Securus enabled but do not have a Yubikey Neo and a NFC compatible device will be locked out!
    • Disable 2 Factor Auth – This will disable Securus for mobile devices*.

Securus Users Profile

Securus Users Profile

To edit a users options

Admin can enable or disable Securus for individual users.

  1. Login to your WordPress Site as Admin.
  2. Edit the users info as you usually would.
  3. Scroll to the bottom of the page.
  4. Enable or Disable Securus.

Securus Login Screen

Securus Login Screen

Normal Login Screen

When you go to login, you are presented with the standard looking login screen.

Securus Login Shows OTP

Securus Login Shows OTP

Ajaxed Login Screen

After you enter your username and password and submit the form one of two things happens.

  • If you have Securus enabled and have a valid Yubikey attached to your account, Securus will ajax in a Yubikey OTP field for your Yubikey.
  • If Securus is not enabled or you don’t have a key attached to your account you are logged in as normal

Is it secure?
Yes; more so than a standard username and password. The Yubikey generates a unique string that changes every time you press the button. Once you submit it for validation, that string can never be used again.
Can I still use my username and password?
Yes. If you do not have your Yubikey available, or are on a mobile device and don’t have a Yubikey Neo, you can login with your normal username and password.