Clef is a new plugin that I heard about from Dustin Hartzler, and it does something quite revolutionary in my opinion: it replaces using password to log in to WordPress with logging in using your phone.
In the last several years, there have been several high profile security breaches, such as LinkedIn, Sony and Apple to name but a few. Clearly, no one is safe from being hacked!
The current method of using passwords to log in is no longer fit for the modern web: computers are becoming more powerful and as such, they can break most passwords pretty quickly. As Brennen, the plugin developer, put it, “Passwords are a competition between the power of your memory and the power of a computer”. And we’re starting to lose that battle.
We now have hundreds of online accounts and you have to choose between going with a memorable password (which can be hacked easily), or using the same password on multiple sites, decreasing your overall security.
Furthermore, passwords have to be stored somewhere, which means that it can be retrieved, albeit by force. So this is far from an ideal situation.
In response, Clef does something quite revolutionary that I’m really excited about.
The technology requires the user to have a smartphone, on which you’ll need to install an app (iOS and Android, both currently free) and a WordPress site with a plugin installed (also free).
The technology is the really cool part. When you want to log in, you use your smartphone camera to look at your WordPress login screen to scan a moving barcode (called a Wave by Clef).
The Wave is a graphical representation of a 300-character RSA-key, which according to the developers would take billions of years to decrypt. Certainly beats your 12-character alphanumeric password!
Getting it installed
Intrigued!? You should be, this is one of the coolest innovations I’ve seen recently.
To get started, go to getclef.com and click on Download the App, and follow the prompts to download the app for your phone. Open the app and create an account using the same email address that you use in your WordPress profile.
Then, go to your WordPress site and install the Clef plugin.
Head on over to Settings > Clef and enter a descriptive name for your site, as well as your login page and click Submit. This will create an API key for you to enable you to start using Clef. You can also choose whether or not you want to use Clef exclusively (and disallow usernames/passwords) or use Clef to supplement your login options.
Now, whenever you need to log in to your site, you go to the login page on your WordPress site and click on Log in with your phone. The Wave will appear on the screen, you open the app on your smartphone and match the wave on your smartphone to the wave on the screen, and it will automagically log you in.
It’s really hard to describe how this works, so it’s something that you just have to try for yourself.
Benefits, impression and thoughts
Honestly, I just think this is one of the coolest things that I’ve seen done with WordPress. It’s taking security to the next level, and it will become apparent as you go through the motions of installing it and using it that it has been built robustly, but with style as well.
It’s a gorgeous application and the animations are smooth and beautiful. I think this application has got a lot of legs, and I wouldn’t be surprised if Brennan and his team became very rich as a result of what they’re working on here: there’s a lot of opportunity to take this beyond the walls of WordPress and to form it into the next standard for logging in to any website.
The app has a few other benefits that I can think of: when you log in to one site, you are automatically logged in to all of the sites that you use the same email address on (ability to use different email addresses forthcoming), making life easier for those of us who manage scores of sites.
Every time you log in, a new RSA-key is used, so the password is never the same. And your RSA keys are not stored on any server, so you can’t be subject to a hacking attempt.
You can also set how long you want to be logged in for: when you log in, your phone will show a timer (1 hour by default), which you can change to any set value, or stayed logged in until you log out.
All in all, the plugin is quite simply astounding, and I encourage everyone to give it a go, if not just for the fun of seeing it work. Then, start spreading the word and making your sites more secure.