I’ve recently become a little frustrated with my current two-factor authentication plugin of choice, Duo Security, because they removed the option to remember you for a set period of time and made that a paid feature, so now I have to authenticate every single time I log in, which is overkill.
It’s somewhat similar to other 2FA plugins, but has the added feature of being able to use biometric information to log in to your site. You can choose between taking a picture of your face, or using a fingerprint.
Given that I already use Touch ID on my iPhone to log in to various services, I thought this was a nice next step.
I went about installing the plugin and setting it up. The setup process isn’t very clear, so for your benefit, the process is generally:
- Download the app on your phone, create your account and verify your email address.
- Go to the Launchkey website on your computer and create a new app for the domain that you’ll be installing Launchkey on.
- Install the plugin on your site and copy the app key and secret key from your newly created app in your Launchkey dashboard.
Now, each user can go to their profile page in WordPress and link their account to a Launchkey account. When they next visit the login screen, instead of using their username and password, they can select the “Login with Launchkey” button and send a push notification to their paired device for them to authorise the login, using either their fingerprint or a scan of their face, depending on how they’ve configured their device.
If a user wants to solely be able to log in with Launchkey, they can remove their password, meaning that they’ll only be able to log in with Launchkey.
The whole process is somewhat fluid and well thought-out, but there are a few restrictions that are stopping me from fully adopting it at this point.
- You cannot force all users, or any subset of users (editors and above for example) to use Launchkey. The system is completely opt-in.
- You cannot completely replace the login screen with a Launchkey login screen, where that is the only option.
- You cannot type in your WordPress username and click on “Login with Launchkey” without then having to type in a separate username for Launchkey. I should be able to type in my username and have the push notification automatically sent to my phone.
- I’d like to see app passwords built-in, so that I can force WordPress admin logins through Launchkey while allowing individual apps (like InfiniteWP and WordPress for iOS) the ability to log in to my account without having to use Launchkey.
- This is not two-factor authentication. Since the password is not required, this is just an alternative to logging in with your password. The workflow I’d like to see is: enter username and password, Launchkey automatically recognises the WP user and its associated Launchkey account and sends the push notification for a quick fingerprint scan before finalising the login. There should be an option for this.
Launchkey have done a nice job, and it’s clear that their service is well thought out and has the ability to go far, but the plugin needs to mature a little for it to meet my own needs. With that said, I’m sure that there are plenty of people for whom this is a nice evolution of the practice of logging in to services with our phones.