When I enter the wrong otp yubikey code to check if everything works well I get an error as shown in the attached photo
https://www.pensierando.it/error.png
Warning: hash_equals(): Expected known_string to be a string, null given in /
this on all issues.
I want to clarify that I have transferred my domain from Aruba Italy to Vhosting.
Access is successful if I enter the right otp, or it gives me an error if I don’t enter any otp
but if I put a wrong otp it gives me php error
could it be a plugin bug?
]]>wonder why this was abandoned
]]>Hi,
It appears that this plugin hasn’t been updated for more than 2 years. Is it still safe to use?
Is it still being maintained? If not, would it be ok for me to take over the plugin as I would like to update it and perhaps improve things a little.
I’d love to update it and give people confidence in this great plugin again, and promote the use of physical security devices for WordPress such as the Yubikey.
]]>Can you please add the Attribute?
autocomplete="off"
Because, if you use a long time the Same Computer, you have the Autocomplete there. It’s not fine. ??
Greetings Huskynarr
]]>Hi,
I have installed the plugin and now there is a Yubikey-Login required, even if Yubikey authentication is disabled.
I also have problems with other users, before they can change there Yubikey-Settings, they can’t log in, because they also see the Yubikey-Login-Field, which they cannot pass because they didn’t set the settings…
The only way I see is to deactivate the plugin again.
Do I make a mistake or is there something broken with my installation.
Best
Henner
Hi,
Just wondering if this plugin is still active or is it abandoned? I wish Yubico maybe sponsored this to improve it.
]]>Had to disable it a couple of times after reinstalling and configuring it with new keys and yubikeys.
When I try to login I get a invalid password error. After I disable yubikey, I can login.
]]>Adding tabindex to the OTP Title URL:
function yubikey_loginform() {
echo "<p>";
echo "<label><a tabindex=\"-1\" href=\"https://www.yubico.com/products/yubikey/\" target=\"_blank\" title=\"".__('If You don\'t have a Yubikey enabled for Your WordPress account, leave this field empty.','yubikey')."\">".__('Yubikey OTP','yubikey')."</a><br />";
echo "<input type=\"text\" name=\"otp\" id=\"user_email\" class=\"input\" value=\"\" size=\"20\"/></label>";
echo "</p>";
}Then, the OTP Field can be reached as normal with 1 tag after the password field.
More user frendly.
Additional, I would like to request a small filter within the function: yubikey_check_otp()
if (apply_filters("customsinglesignon") == true) {
return true;
}Most of customers of me use a SSO page where they authentificate themself including yubikey. They are not been able to automatically pass the yubikeyauth on the page, as I cannot force them wo login.
With our plugin, all direct logins are handled and protected well, but with the small filter, I can use other login “security” plugins to hack and bypass the yubikey, if the customer has other modules too in parallel.
Would be nice if there would be an update, otherwise I will need to release an own version, which I so not want to.
Regards
Stefan
(Topic subscribed for updates)
]]>Can we get U2F support? I’d prefer that instead of (or in addition to) OTP.
]]>Hi, I just received a Yubikey and try to get it to work on my WP site. In your installation guide, it says I need to get an API. To get this, I need to set a OTP. Where do I get this OTP?
]]>Hi Henrik,
Thank you for writing this great security plugin. Always nice when someone already wrote something I really need!
There is one issue I noticed though. I noticed that you call the yubikey API via the HTTP protocol – I don’t really understand why Yubikey is supporting this protocol.
Since a OTP is going over this line I would really suggest to move this over to HTTPS to make sure that the OTP is not visible to anyone who is not supposed to see this information. When doing this please make sure you validate the SSL certificate provided by the Yubikey server. This can sometimes be rather tricky with the curl library.
Thanks again for making this plugin. And if you have any questions or need some help please feel free to contact me.
Ruben.
]]>Hi,
I’m curious how compatible this plugin is with the Google Authenticator plugin (both are developed by Henrik Schack). Will installing and activating both plugins break anything?
Ideally, I’d like to give users the option of logging in with either the Yubikey or Google Authenticator.
Additionally, it’d be excellent if one could configure their account with both Google Authenticator and Yubikey so that one could use either option to authenticate. This would have been useful recently when my host had some technical problems that prevented DNS lookups on the server and so the plugin was unable to query the Yubikey API server. Having Google Authenticator as a “backup” method if Yubikey’s system is inaccessible for whatever reason would be great.
Cheers!
-Pete
On one of my sites I still used to log in under admin. In phpMyadmin I changed the login to a more secure one.
As expected I couldn’t log in any more so I disabled the yubikey plugin, and got in the dashboard. I reinstalled the yubikey plugin, entered the api id and key and logged out.
When I tried to login I got the message “Wrong password” so to be sure I generated a new password. Tried to login : “wrong password” Disabling the yubikey plugin gave me access with that new password –> ie. seems that the yubikey locks me out.
Reinstalling via plugin install of the yubikey plugin shows the same behaviour.
Although I like this kind of security I would like to use a other loginname, so what do I need to remove / change from the database to have my new ‘admin’-login working ?
]]>Hi there
I’ve been testing wp-debug for my theme development and i noticed that with yubikey plugin I get this error:
Notice: has_cap was called with an argument that is deprecated since version 2.0! Usage of user levels by plugins and themes is deprecated. Use roles and capabilities instead.
(I had disabled all plugins except this one- and it went when disabling yubikey plugin so I know it is this one)
Best
Chris
any suggestions?
I tried to install it to multiple sites, and then it stopped working and I can’t login.
Hi I have installed the plugin and configured the Yubico ID & API key. But I am still able to log in without using the yubikey?
My admin area is protected by SSL but I wouldn’t have thought that would cause a problem?
]]>The Split() is deprecated in PHP version 5.3+
Instead of Split() you must use explode().
]]>I have installed the Yubikey-plugin version 0.94 in wordpress 3.4.
The documentation points to https://api.yubico.com/get-api-key/ to get a key. But this URL has changed, the old one doesn’t work anymore.
The new URL is https://upgrade.yubico.com/getapikey/
Please, can you maintain the documentation (installation tab) and the plugin options-page?
The plugin is working fine when using the new URL. Many thanks for that!
Regards,
Maarten Mastbroek
https://techblog.mastbroek.com
Can we make the input field for yubikey a password field rather than a plain text field. I know it makes no difference to the security but its just a psychological thing.
Is it at all possible to make the yubikey authentication appear after successful username/password authentication. That way non yubikey users never have to see the yubikey prompt. Only those that the yubikey is active for see the yubikey auth.
Also can you include a way a user can disable yubikey authentication in the event that the user loses his/her key? Thinking it works in the same way as forgot password. But instead the yubikey user is sent a de-activation link to their registered email address.
Many Thanks
Scott
]]>I never got around to posting this request/issue so I’ve actually had the plugin disabled for quite some time. It would seem that this plug hooks in such a way that it prevents being able to authenticate and ultimately post via XMLRPC and/or the WordPress Mobile Apps. I’m not quite certain if the WordPress Mobile Apps are using XMLRPC or not but I do know that when I have this enabled on my account I lose the ability to access from the mobile app. I’ll be honest that I’m not sure if there is actually a fix for this. It doesn’t seem that the mobile app has any way to know what plugins are installed in a WP site and have any way of presenting that functionality in the mobile app. The solution would be to not require the OTP when accessing via Mobile App or XMLRPC but then it really wouldn’t be providing much security then anyways. However I wonder if there wouldn’t be some way of including the OTP as a part of the password. Though I’m not certain this would be of use as I cannot plug my Yubikey into my Android phone. Well, as I’ve said I don’t really have any good solutions off the top of my head but I thought that I’d at least report it in the hopes that someone has a great idea. I love the idea of using my Yubikey to secure the WP sites, it’s just not practical from a Mobile Admin perspective.
]]>