PhoneFactor is a WordPress plugin that provides an additional layer of security when logging in to your WordPress site.
It’s a pretty cool system. When you log in to your WordPress blog with PhoneFactor enabled, you receive a phone call asking you to press # to authorize. When you do so, you are logged in. If you do not, then the login attempt fails.
Basically, this means someone needs to get your username, password and phone in order to log in to your WordPress site as you.
Crowd Favorite worked with the PhoneFactor team to build this integration on their API layer. This was a fun project for us – it’s always nice to enhance WordPress by integrating features from another service.
Besides building the integration with the API to authenticate via phone, we also built the PhoneFactor registration step right into the WordPress admin so that the user wouldn’t have to leave the WordPress admin when activating the plugin and getting it set up. I think it’s a much better user experience.
We integrated some instructional banners into the WordPress admin pages to let people know the next steps to getting things set up after activating the plugin. We also built in some more advanced user features like whitelisting IP addresses so that you don’t have to use PhoneFactor authentication if you’re logging in from your home machine.
The download and more information are available at the WordPress Plugin repository on wordpress.org.
Enjoy!
great plugin for security. Just tried it out but looks like it needs CURL to be installed. Its working though it gave a constant warning message in the top of admin pages.
Will this work in the UK? Other areas?
I don’t know, I think about it and it doesn’t seem like a good idea for me, at least not for blogs.
I mean, what will happen when (not if, but when) PhoneFactor is down? Then there is the problem of costs associated to the service. Phonefactor may be free, but I travel between (and live in) Canada and Mexico, and while in Mexico such a call will be free for me, that’s not entirely true in Canada (at least not with my current plan). At least they ain’t using SMS (now that’s expensive!) to authenticate me just to enter my blog.
However, I find it a real good idea to use it for banking services and online shopping. If I do a transaction, Phonefactor calls me, I say yes (or dial my pin, or press pound) and then the transaction proceeds as usual. Now that’s a good idea!
Just my two cents.
I think this is very interesting. I like the idea and I am going to check it out. I am curious what were to happen if the service is down, can I disable it by simply removing the plugin?
[…] Meet the Phonefactor WordPress plugin. […]
@no – Yes, it does work outside of the U.S.
30 countries, according to their website, as mentioned here:
http://www.phonefact[...]bal-services
Sounds interesting, but wondering if day to day users will even try to use it.
So what happens when someone is trying to hack into your website and you start getting phone calls in the middle of the night…
There is an option to “stop calling me” in the phone prompts. We also catch this and reset the password on the WordPress side so that the calls will stop. Also note that the person would need to get your username and password correct before you’d get the call (at which point being woken up may actually be a good thing).
To the previous question – yes CURL is required for making SSL connections from your WordPress install to the PhoneFactor server.
[…] של וורדפרס × ×ª×§×œ×ª×™ בתוסף PhoneFactor שמציע שלב × ×•×¡×£ ×‘×›× ×™×¡×” לוורדפרס – ×חרי שליחת ×©× ×”×ž×©×ª×ž×© […]
It doesn’t work for me on HostGator servers; I just get phone number invalid, although i’ve tried all the variations I can of the number, with the correct country codee..
What would make this work so much better is simply this:
You enter your text message email address.
When you go to login, it emails a 4 digit PIN to your phone.
Use that to log in.
Straightforward simple two factor authentication.
Haven’t managed to get it working on T-Mobile. Who’s on charge for supporting this?
It’s great to see all the discussion about the PhoneFactor plugin.
Some two-factor solutions do work like Chad suggested and send a text or e-mail with a one-time password or pin. There are some drawbacks to these types of systems. First they only work with cell phones and PDAs. PhoneFactor works with any landline or cell phone. Also, text messages often have a delay, which can be a real pain if you have to wait on the text message to complete your sign on. And instead of having to rekey a pin into the login page, with PhoneFactor you can simply answer the phone and press #.
PhoneFactor is free for UK landlines, but not mobile phones (due to the high cost of calls to UK cell phones). I think that may be the reason for the invalid phone number message Georgr is getting.
PhoneFactor Product Team
PhoneFactor Support can help with questions related to the service. E-mail support@phonefactor.net.
[…] AlexKing.org :: PhoneFactor 1.0 PhoneFactor is a WordPress plugin that provides an additional layer of security when logging in to your WordPress site. […]
Hey Alex,
What if you have a Blog Network, with multiple authors & multiple passwords for a each individual authors login?
How can you account for that?
Also, perhaps, Phone Factor can be integrated along with the Audit Trail Plugin, whereas, not only you can add a level of security, but also know who & when someone was logged in.
But, if you do have multiple authors & logins, would each author use their own phone number? Thereby, it still wouldn’t be secure for the main blog/site owner. Anyone else have thoughts on this?
I agree with “Quoth, the Raven” that it is not so suitable for blogs.
But this is a good idea for any kind of web application that require a high level of security.
But then again some might argue that their blog is the most important thing in their lives, and it DOES require that level of security.
[…] wird dieser Dienst nun auch für Blogs, genauergesagt für WordPress-Blogs per Plugin. Das klingt… nützlich? Wenn ich überlege, wie oft ich mich für kurze Zeit im Adminbereich […]
[…] [via, photo via] Tags: pestaola, PhoneFactor, plugin, Software, wordpress, WordPress PhoneFactor Σχετικά posts: WordPress Security Scanpngfix WordPress PluginWordPress.com Stats Plugin 1.1Please Link 2 MeÓôáôéóôéêÜ a la WordPress ãéá üëá ôá blogs […]
This is a joke! Please tell me that this is a joke…
I’m from Austria, in Austria and in Germany every website must have an impressum and in this impressum you have to tell the whole wide world your phone number (some jurist say ..never ever a mobile phone only landline) …
….
my phone number as a security element…. *lol*
😉
no hard feelings, but laughing ..
Monika
[…] Phone Factor – brand new plugin by Alex King and creates a new cool option to secure login to your blog, here is quote from Alex “When you log in to your WordPress blog with PhoneFactor enabled, you receive a phone call asking you to press # to authorize. When you do so, you are logged in. If you do not, then the login attempt fails”. […]
Monika,
It’s not using the phone *number* as a security element — it’s using a phone *call* as a security element.
the phone calls acts as a second authentication channel.
It is typical in security to add another, usually from a diffferent technology domain, authetication channel so that anyone that wants to steal your account will have to get your credential on both channel.
In other words. Some one trying to steal your account will have to get your password AND have access to your phone calls.
You don’t authenticate yourself with the phone number but as david said the phone call is the authentication process.
Alex, while I agree with you that this is a great idea, could you please drop a hint to Crowd Favorite to knock off the spamming. They’ve hit a large number of sites, including the typepad, movable type, drupal, and edublogs support forums. It really gives wordpress a bad name to see a plugin promoted via spam and to see your name associated with this.
http://wordpress.org[...]topic/186359
I have no idea who is doing the spamming, but I can assure you it is not Crowd Favorite (which is my company). We built the plugin and I posted this blog post, which is all we’ve done the publicize it.
I’m here as well because someone named “breanan” posted about this WP plugin:
I DARE YOU TO STEAL MY BLOG
You can’t with this new WP plugin. Developed by the master himself, alex king.
http://wordpress.org[...]phonefactor/
I find it hard to believe that you don’t know this person or have not hired them to promote your plug in. Perhaps they are connected with the phone service that is used…?
But if it’s true I would distance yourself from them as much as possible and consider using another phone service that doesn’t need to spam. Nice feature, by the way, but overkill in my opinion just to keep someone from logging into a blog. And it still has nice options for abuse… 🙂
Sorry about the spam everyone.
An overzealous intern recruited some friends back home (yes – India) and went a little post crazy.
They have been reprimanded and it has been stopped immediately.
Alex, nor his team at Crowd Favorite had anything to do with this.
Our apologies.
PhoneFactor Product Team
[…] today announced that PhoneFactor, its phone-based authentication technology, is available as a free plug-in to WordPress, the largest self-hosted blogging tool in the world. With PhoneFactor, WordPress’ hundreds of […]
Alex,
Just a suggestion – in the interests of openness, it may be better to explicitly call out that Crowd Favorite is your company. While I see you’ve used ‘we’ and ‘us’ in the post, it does come across like you’re trying to give an impartial review of a product – which you’re not. Most bloggers would put an explicit disclaimer in their post to avoid any perception of underhand bias…
Guy
Interesting. I’ve got bit about Crowd Favorite on my home page, in my sidebar, and I listed this as a “Case Study”… I guess I thought I was making it clear that it was something we built. I never intended not to.
Interesting. I saw the ad for this service on tv, and thought it might be useful.
Ill have to try it.
I presume if you MUST access your blog and the service is down, you can just log into the server and delete the plugin file?
Yes, that would work fine.
This is a very cool plugin. I do agree with some of the comments that there might be some limitations if there is any problem in the chain of layers. But i think if there is a concrete error, you can alway’s enter your server and change and get into wordpress. I generaly like it.
[…] You can learn more about Phone Factor and download it here. […]
This is fantastic!
Sorry for bumping and commenting on a old post, but this is a brilliant addon.
What happens if you lose your phone, run out of batteries, or just dont get a singnal?
I think those are valid concerns, but I have to say that the reality of recovering from all of those situations with my phone is much simpler/convenient than any of the alternative problems with tokens. Have you ever had to carry a SecurID token or keep track of a PKI certificate? I prefer waterboarding to being the IT person that has to manage that. And if you’re a consumer, way too expensive for anything but the most valuable of web properties (e.g. E*trade account with 50k in it).
Worst case, I can’t login unless I have a phone signal and my charger. If I lose my cell phone, I have to replace it anyhow. If I lose a token or cert, again … waterboarding, please.