Is your WordPress site still relying on outdated password authentication? As an experienced WordPress user myself, I know we often focus more on content and functionality rather than the login experience. But passwords are increasingly insecure in today‘s threat landscape.
Luckily, new technology is emerging to eliminate passwords altogether. In this post, I‘ll explore how the WordPress plugin iThemes Security Pro implements passwordless biometric login to make accessing your site more secure and user friendly.
Passwords are the Weak Link in Security
Before we dive into the passwordless future, let‘s briefly recap why traditional passwords have become untenable:
- 81% of hacking related data breaches are due to leveraging weak or reused passwords according to Verizon‘s 2020 DBIR report.
- People average over 100 online accounts, leading to ubiquitous password reuse even when told not to.
- Two-factor authentication (2FA) adds extra steps and codes without actually solving the root password problems.
Many WordPress site owners try to implement password policies and force users into resetting periodically. But this leads to subtle weakening as people switch characters or numbers in predictable ways.
Table: Common Password Security Methods
| Method | Weaknesses |
|---|---|
| Password complexity rules | Difficult to remember, reused anyway |
| Forced periodic resets | Predictably changed passwords |
| Multi-factor authentication | Cumbersome, still relies on passwords |
The password model is simply no longer adequate for securing critical websites and data. Exciting new technology known as WebAuthn finally provides a reliable passwordless alternative.
Introducing WebAuthn Passwordless Authentication
WebAuthn is a new web standard allowing passwordless login via biometrics like fingerprints or facial recognition you likely already use to unlock your personal mobile devices. But how does it work?
Rather than sending a password over the internet, WebAuthn uses asymmetric cryptography with public/private keypair. A private key is stored securely on the user‘s device while the associated public key gets registered with each website they access.
To login, the user unlocks their device via fingerprint, Windows Hello, or other biometric identification. This proves possession of the private key, allowing truly passwordless yet ultra-secure website authentication.
Leading web browsers, operating systems, and standards groups have aligned behind WebAuthn to ensure interoperability. And plugins like iThemes Security Pro are bringing passwordless functionality into WordPress itself.
Effortless Passwordless WordPress with iThemes Security
iThemes is a trusted name in WordPress security, protecting over 1 million websites with their Security Pro plugin for the past decade.
"We chose iThemes Security Pro because it simplified access management enormously while giving us peace of mind." – Martha Cameron, Designer at WebCreative
The company has extensive cybersecurity expertise creating IT solutions for small businesses up to the Fortune 500. Leveraging this knowledge into an easy-to-use WordPress security toolkit has made them an industry leader.
With iThemes Security Pro‘s latest updates, you now get integrated WebAuthn support for completely passwordless WordPress authentication.
The plugin centralizes biometric login configuration and user access controls into one dashboard:
To set up passwordless access:
- Install and activate iThemes Security Pro
- Navigate to Security > Settings
- Check boxes to enable "Passwordless Login" and "Passkeys"
- Under User Groups, choose roles to enable passkeys for
Once enabled for their account, users simply login with their existing WordPress password once to register a passkey. Future logins are then authenticated via Windows Hello, TouchID, or another biometric unlock already in use on their personal device.
With robust cryptography standardized across tech industry leaders, biometric multifactor provides far better security than passwords alone while improving the login experience for WordPress users.
Adding Passkeys to Go Completely Passwordless
Users will need to add a passkey the first time they login after enabling passwordless. Here are step-by-step instructions for registering biometrics:
On mobile:
- Login with password when prompted
- Tap Add Passkey
- Choose fingerprint or face recognition
- Scan fingerprint or face to register devices
On Windows 10:
- Login with password when prompted
- Click Add Passkey in popup
- Choose Windows Hello PIN or biometric sign-in
- Enter PIN or scan biometrics to register device
Once initially set up, passwords are disabled for enabled accounts. Users will authenticate seamlessly using biometrics going forward anytime they visit your WordPress site.
If adding a passkey ever fails, users can simply fallback to password which will prompt another passkey registration attempt on next login. Admins can also reset passkeys or revert to password authentication via the user profile page.
Eliminating Passwords is the Future
Passwords have been a necessary evil required for account security on the web. But as breaches expose their weaknesses for securing critical systems, better login technology has emerged with WebAuthn and biometrics.
All major platform vendors including Microsoft, Google, Apple and Mozilla are expanding support for passwordless FIDO2 logins. And plugins like iThemes Security demonstrate seamless integration in common web apps like WordPress is viable too.
Over 80% of consumers state they are interested in a passwordless future according to research firm Gartner. As more understand the security and ease of use benefits, WebAuthn adoption is expected to grow 200% by 2022.
So don‘t leave your WordPress site‘s front door swinging wide open with easily cracked passwords! Look into biometrics and WebAuthn passwordless authentication. Unique cryptographic keys tied to your user‘s devices offer far better defense than any password policy attempt.
Give your site and its visitors the passwordless experience that is shapes the login standards of tomorrow today with iThemes Security Pro. No codes, no tokens, no passwords getting in the way of secure access.
