If you’re like me, you have a lot of accounts for different websites. You probably have a huge list somewhere on your computer of these usernames and passwords. And while you might be accustomed to doing things this way, it’s not the most efficient way to go about things. And let’s face it: if you lose that list of passwords, you’re out of luck in a major way.
If you work in WordPress development, that’s doubly true. The only thing standing in the way of hackers and your clients’ sites is your password. If that’s compromised, well, you’re poised to have a very bad day indeed. According to the WordPress Security Team, passwords are the weakest component of online security. In fact, 13,000 sites were hacked in 2012 due to weak passwords. What’s worse, hacked sites can infect visitors to such sites. These visitors are then made to be a part of the botnet that actively attacks other websites. Basically, it’s a big problem and you can unintentionally contribute to it if you don’t make every effort to protect your site’s security.
That’s why I was excited to hear about this new plugin and app combo that’s designed to eliminate passwords from the equation and ramp up security in bold new ways.
It’s called Clef, and rather than an 8-character password, it relies on cryptography to log users into WordPress. Once the plugin is installed on your site, you just download the Clef app for your smartphone. This app is then used to authenticate users thanks to 2048-bit RSA key pairs.
I tried out Clef for the first time recently and though I ran into a few hiccups during setup, an update to the plugin has seen those initial issues resolved.
Installation
Installing both the Clef app and plugin is simple. It’s basically your standard fare. The plugin is available for download for free from the WordPress Plugin Directory and the app can be downloaded from Clef’s website. Install the plugin on your WordPress site and the app on your Android or Apple smartphone.
Once both of these elements are installed and the plugin is activated you should see a prompt to login using Clef on your WordPress login page. You’ll need to set up a pin for the app first though. Once installed on your smartphone, you’ll be prompted to input your website’s information and to create a 4-digit pin:
Next click “Log in with your phone” on your WordPress site’s login page. You’ll see the Clef Wave next. This is a visual identifier that Clef uses to verify your identity without ever needing to resort to using passwords:
To use this, you just need to have the Clef app open on your phone then pass it in front of the Clef Wave on your WordPress site’s login page. The app will sync with the Clef Wave and you’ll be logged in immediately.
Initial Login Issues
Now, when I first tried out Clef, it didn’t go quite so smoothly as described above. When I passed my smartphone in front of the Clef Wave on my site’s login screen, it seemed to sync just fine. But instead of logging in and directing me to my site’s dashboard, I was redirected back to the login page. I watched the URL bar as it logged me in and logged me back out again.
I did the usual troubleshooting tasks. I turned off each plugin and tried again with no avail. The app still wouldn’t work. So I got in touch with the team behind Clef, Brennen Byrne and Jesse Pollak. They walked through their standard troubleshooting processes and when none of that worked, they assured they’d get back to me with a fix. Lo and behold, that’s precisely what they did.
After updating the Clef plugin to version 2.0.1, the Clef Wave synced and logged into my WordPress site’s dashboard just as it was supposed to. No more weird redirects and no more frustration. I’m glad I pursued the team on this one. The plugin turned out to be exactly what I hoped: simple, streamlined, and secure.
How It Works
I’ve already talked a bit about the technology behind Clef but I think it warrants a bit more discussion. Especially since this app/plugin combo is venturing to change how we approach WordPress site security from now on.
After you open the app on your phone, you’re prompted to input your PIN number. This is your private key that prompts the app to generate a signature to connect your phone with your WordPress site. This means you can login to your WordPress site on any computer without compromising security in any way.
The Clef database doesn’t store any identifying information about you or your site. So when your sync the app with the Clef Wave on your site, a digital signature is created and sent to Clef. This is processed immediately and Clef will verify your identity, giving you access to your site using OAuth 2.0.
What’s so funny about this though is it feels sort of unreal. Pass your phone like a magic wand in front of the Clef Wave, the Wave locks into place and syncs and you’re suddenly logged in. It doesn’t feel very secure but that’s because the approach is so different to what we’re used to in terms of managing WordPress site security. Lengthy passwords made up of complex combinations of letters, numbers, and characters is what spells the greatest level of security for us currently.
Once you’ve inputted your PIN number on the Clef app and logged in to your WordPress site, you can select a length of time you’d like to stay logged in for:
This way, you ensure your site’s security, even if you forget to log out on a public computer, let’s say. You can change this setting at any time.
Multi-Layered Protection
Clef protects your site and identifying information on a number of levels. For starters, it protects you from brute-force attacks. These attacks are the most common way hackers use to break into sites. It only takes a few days to crack a WordPress password. We’re told that cracking a Clef key would take millions of years, if you can believe it.
Because Clef relies on the app and the plugin, your site’s security can’t be compromised even on open Wi-Fi networks without SSL. And even if you lose your phone, you can deactivate the Clef app remotely thanks to the 4-digit PIN you created during the installation process.
Conclusion
All in all, I found Clef to be intuitive and easy to use. The app has a nice, clean interface and the plugin requires virtually no setup. Like I said, it sort of feels unreal to use, like it can’t possibly be secure. But the system on which Clef operates is legitimate and offers multi-layered security that can give all of us developers some peace of mind.
Have you tried out Clef yet? What are your thoughts on the plugin and app? Are you ready to upgrade your security measures or are you sticking to regular ol’ passwords for now? I’d love to hear what you think on the subject. As always, feel free to sound off in the comments below.
Gareth Naylor
I could have this wrong but if your cellphone gets damaged or lost then aren’t you a bit stuck?
Michał
Hi,
I have still the problem with redirection to a login site 🙁 I do not know whether my readers too have this problem, but I – as the blog admin – notoriously’m redirected to the login page. I found information on the internet that is apparently not an issue of Clef, but before this issue does not occur, so something’s wrong.
Dom
Hi Tom
Got an email about Clef last week. Have to admit I was a little sceptical, but an endorsement from you guys made up my mind. Just installed it – it’s like the future! It feels so counter-intuitive, as you say. Going to be recommending this to clients. Much better than giving them a 20-digit random password, that they’ll most likely change to a cat’s name anyway.
Thanks for the post.
Dom
Tom
Thanks for the comment Dom! Glad it is working out for you!
Cheers,
Tom
MPW
Is there any possibility of future integration between Clef and the ManageWP admin interface? It would be great if I could use Clef to log in to ManageWP which I can then use to log into all my other sites
Tom Ewer
We’re looking into this right now!
frankwarwick
Tom … 3 years ago you mentioned integration with Clef was being looked into … any word on this
Nemanja Aleksic
We ended up integrating Google Authenticator for 2FA, seeing how it’s the industry standard these days.