Using Hardware OTP Tokens with WordPress

  • kevin-itg

    (@kevin-itg)


    2 months ago

    Hi,

    I have some users that don’t want to use their own personal devices for OTP authentication, so I have started to look into hardware OTP Token devices.

    Does anyone know if it’s possible to use Hardware Tokens (https://www.microcosm.com/it-security-hardware/oath-otp-authentication-tokens) that generate 6 digit OTP codes with WordPress “I have the C200 TOTP Token”, I also have the seed for the token (which is hardware encoded) but can’t seem to find an up to date plugin that will work with this type of device. I have found a very old plugin (https://www.token2.com/shop/page/token2-hardware-tokens-plugin-for-wordpress) that hasn’t been updated for for a very long time. Is there a way I can add my secret to WordPress database? or is there a better solution / plugin.

    Hoping someone out there has had or has had a similar experience with this type of problem. Could this be added to WordPress in a future release?

Viewing 2 replies - 1 through 2 (of 2 total)

  • Hello @kevin-itg
    As per my thoughts, To integrate hardware OTP tokens like the C200 TOTP Token with WordPress, you can use a plugin or custom solution to enable TOTP-based two-factor authentication. Although there are no recent plugins specifically designed for your device, you can adapt standard TOTP-compatible plugins to work with the hardware tokens by using their shared secret (seed).

    A recommended approach is to use a widely supported two-factor authentication plugin like WP 2FA or Two Factor. These plugins are TOTP-compliant and allow you to register a shared secret. You can manually input the token’s seed into the plugin’s settings for each user. This way, the tokens can generate codes that the plugin will validate.

    If your specific hardware token doesn’t integrate seamlessly, you can write custom code to handle the validation. Use a library like PHPGangsta/GoogleAuthenticator to compare the OTP generated by the hardware token with the server-side validation. Store the token’s seed securely in the WordPress usermeta table, and modify the authentication flow to include OTP validation.

    If your users don’t want to rely on third-party devices, using these steps ensures compatibility and avoids relying on outdated plugins. While native support for hardware tokens in WordPress core is unlikely, this method provides a robust workaround.

    Thread Starter kevin-itg

    (@kevin-itg)

    Hi,

    Many thanks for your reply. An interesting reply to say WordPress might not add this facility as several professional companies I’ve spoken to are specifically targeting their efforts on TOTP hardware devices that work with Microsoft 365 etc as software can be subject to hacking. Whereas a hardware device cannot be copied without the serial number and seed.

    A lot of companies employees (I look after) don’t want to use their own personal devices for Software 2FA, so I had to look for an alternative.

    I’ve manage to contacted Token2 and they say their plugin even though not updated for several years is still working. so I will use this plugin going forwards, though a professional myself I would rather use something that will work straight out of the box (per say) rather than writing my own program to work with industry standard hardware TOTP hardware devices

    Hopefully someone on the forum will find this useful when trying to use a TOTP hardware device on WordPress websites.

    Just as a side note “Two Factor” plugin will not currently work if you use the Solid Security Plugin (It throws an error), Ive’ also contacted Solid Security to see if they will add this functionality.

    I don’t pertain to be a 2FA or TOTP expert but I am a IT Professional, in my industry every day is a learning experience.

    Thanks again for your reply.

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.

Tags