WordPress is everywhere. We’re closing in on being a full one-third of the internet, and that’s amazing. But with that ubiquity comes a number of problems, one of the primary being security. WordPress gets hit hard by hackers and spambots and all sorts of malcontents. Recently, brute-force attacks on new WordPress installations have risen exponentially, and as the CMS grows, the attempts at hijacking it will only grow, too. Enter, Keyy.
Keyy is a two-factor authentication (2FA) app/plugin that does its best to do away with the annoying aspects of other 2FA methods: usernames, passwords, and authentication tokens. Keyy boasts that it can do away with all of that by using RSA public-key encryption — from your phone.
Can You Really Login from Your Phone? How?
That’s what you’re thinking, right? How is this even possible? Well, it works very similarly to how you connect your Netflix or Hulu account to your Roku or PS4. Using public-key encryption (the same kind that your websites are secured with via SSL), the plugin and the app you download communicate directly with one another, not using usernames and passwords, but authentication hashes that either appear as a “Keyy Wave” or QR Code.
How It Works, In Practice
Getting set up with Keyy is actually pretty simple. You head over to the app store of your choice (I’m an Android guy, so that’s what these shots are of) and download the Keyy app. It’s free, so don’t worry. There is a premium upgrade I’ll touch on later, though.
Once that’s done, open the app, and you will be greeted by the simplest sign-up process that I have ever seen. Just an email field. I mean, after all, why would an app that wants to do away with usernames and passwords want you to sign up with a username and password?
When that’s submitted, you get the handy-dandy verification email asking you to click a link to prove that you’re you. That’s standard. After that, you create a 4-digit pin number. That’s going to be one way you log into the app (the other being your fingerprint or other biometric data, depending on your phone).
When you validate your email and set up your pin, you can log into the Keyy website, and you’re presented with your Keyy Wave. Just scan the screen with the app to get access to your Keyy account.
The App Itself
The first time you open up the app, it’s empty. But it prompts you to add your first site. To do that, however, you need to have installed the Keyy WordPress plugin on your site. That part isn’t terribly well documented or messaged at all in the app. I just knew you had to do it. There is a “How to use Keyy” menu item, but it takes you to the external FAQ that is again, not terribly easily navigated.
It’s only a couple of clicks, though, and no setup other than activating the plugin has to be done. You get a new menu item called Keyy Login that has the QR code you need to link the app to your WordPress site.
The moment you wave that app in front of the screen, and it catches a glimpse of that code, your page refreshes. Your password is no more, and instead you’re ready to login with…the future!
But…Does It Work?
Of course the first thing I did was log out of my account to see what my login screen looks like now. I was not disappointed.
And since I had LastPass keeping my username/password fields ready, I figured I’d hit the big blue button and see exactly what Keyy would do if a login attempt with valid credentials was made without it.
Good. It locked me out. So I opened up the Keyy app, and it authenticated my fingerprint immediately, and I was able to see the site I had just registered with a Scan to Login button immediately present.
And when I pressed it, I barely got the Keyy Wave inside the brackets before I was brought to my WP dashboard (the same happened with the QR code). It was pretty fancy, and went very smoothly.
The app works, and it’s great. But apps fail. Or we lose our phones. Our nieces and nephews accidentally delete apps. Whatever. So let’s say that we have the worst happen and now we have to get back into our WP installs. Never fear. As long as you’ve backed up your private key, you’re good. RSA encryption is a double-edged sword in this case. Because of how the encryption keys work, you’re incredibly safe from anyone unauthorized getting access. As long as you have the private key that unlocks your site (which is held in your app).
Encryption: Private and Public Keys
There is just one combination of characters that can unlock the site. When you linked your site, two strings of characters were created, a public key and a private key. They probably look something like this, which is the 256-bit encrypted version of the password ElegantThemesDivi1337!?
A little bit harder to break, right? Now, the public key string like this is what your Keyy Wave and QR Code hold. It’s open to the public. It’s basically a jigsaw puzzle piece waiting for its partner. Anyone can see this one. It’s public. It’s basically meant to be shared. Which is why you can have it safely on the login page of your site.
Because there is only one way to get into it. The other string of characters — your private key. That’s in your app. When you scan the code or wave, the two strings are matched up, and if you have the correct private key, you’re in. Congrats. Without it…good luck breaking the code.
So you need to make sure that you never lose the private key. Luckily, Keyy tells you to back it up the very first time you log into the app after connecting a site.
Since my phone runs Android, I clicked the button, and the private key saved to my phone’s SD card as a .json file. Afterward, I just uploaded it to Google Drive. I got a notification when it was downloaded, too. On iOS (I presume) you have the option of iCloud, OneDrive, or Google Drive, etc.
I can now restore the app at any point with that file. If I were using Keyy for my main login across all my sites, I would probably store the private key not only on my phone’s drive, but also a USB drive and Dropbox, too.
On the free plan of Keyy, you get enough for normal users and small businesses. You get 5 installs and users. You’ll get some ads here and there. But if you choose to buy one of the premium plans, you get a few added features.
And while all of them are pretty handy to have and probably worth the upgrade in all honesty — if this is going to be how you secure your sites — the two that are the most important are Stealth Mode and the Multi-Factor Login Options.
Regarding stealth mode, you may just not want your public key being too public. While it’s still perfectly safe to do so, there are lots of baddies out there on the web, and they’ll try to hack their way into your system. If you have a premium Keyy account, you can make sure only you and yours have access to the QR code or Keyy Wave.
And for the login options, you can also require the password in addition to the Keyy app. Things like that. You just get more control over what you can do with your site, which I don’t see as a bad thing.
Plus you get more sites and users for those sites who can use Keyy, depending on your upgrade tier. That may or may not apply to you. But if you run a big team, it’s a consideration for sure.
I wasn’t quite sure what to expect when I dug into looking at Keyy. When I saw the animation on their homepage that depicted a phone just waving by a monitor and logging in, I was skeptical. I hate keeping NFC turned on, my main PC doesn’t even support NFC, and I was thinking to myself…how does this work with NFC anyway? (It doesn’t. NFC had nothing to do with it, but that was the only way I could see a wave working.)
But I was wrong. All it really does take is a wave in front of your monitor to log in. Keyy has the fastest code recognition of any app I’ve ever used. I wish other apps would license whatever they’ve done because it make code scanning downright pleasant to use instead of “eh, it works well enough.”
If I ran a site that needed 2FA, I’d definitely be looking at Keyy. It may not be the solution for everyone, but there’s enough here already to show that the foundation they’ve laid in version 1 (and yes, this is still version 1) is strong enough for them to build an even more solid product in the future.
Besides, using an app sure beats clicking on never-ending grids of cars, storefronts, and street signs.
What method of two-factor authentication do you use for your sites?
Article featured image by Titima Ongkantong / shutterstock.com