No More Passwords* – Log into WordPress using a QR Code

Download and try it yourself

A short while ago I stumbled upon an interesting Hacker News conversation…

Intrigued by the challenge, I decided to implement the theory as a WordPress plugin for all to use. So here’s the gory details…

The Flow

  1. User visits Login page
  2. Login page Generates unique hash, saves hash to the database
  3. Login page Creates QR code of a link that GET posts hash to the Plugin’s admin page
  4. Via long polling Login page waits for a username to be inserted into the row in the database that has the page’s active hash
  5. User scans QR code with mobile device and which is sent to Plugin’s admin page on mobile with along with the active hash posted via GET
  6. In WordPress, the User must be logged in to reach Plugin admin page by definition
  7. The Plugin admin page records the username to active hash in the database (the GET posted hash)
  8. The Login page sees a change in active hash’s row of the database and reloads the page with a GET post of the active hash
  9. Using the WordPress action init the page  receives the hash, finds row of active hash in the database and pulls the username, it then removes the hash from database so it can’t be reused
  10. The page then logs in the User using the username pulled and redirects the User to the WordPress Dashboard

Notes

Alone, this isn’t a solution to never having to remember your passwords again. Your mobile browser has to have the logged-in cookies for it to work completely without password.

Why is it still useful? Well, everyone goes everywhere with their cellphones now, but with today’s mobility it means that you’re likely to find yourself with an urgent idea to post to your blog, and not wanting to type it out with your thumbs on your mobile. So, borrow Aunt Sally’s computer — that by all chance has thousands of suspicious apps, key loggers and, by the way, is running Vista — and to log in just scan away!

Ideally, it would work great with an app built to complement it that would scan the qr code, save your passwords, and log you in automatically if the local cookie had expired… Perhaps that app is in the works… Comment below if you’d like it and I may be swayed to create such a monster. Perhaps tiqr might want to gang up…

Is it secure? I’ve put several checks in place to make sure it is.

  1. Username/password are never passed back and forth, only the unique hash.
  2. Hash is removed from the database once it’s used, old hashes that haven’t been used can’t be unless the database is hacked, but then you have bigger issues.
  3. All database queries of the hash have been escaped to prevent XSS attacks.
  4. nonce added to ajax call.
  5. nonce and confirmation added to on mobile end to prevent CSRF attack.

I’m pretty sure that covers security. Anything else needed?

Suggestions? Comments? You know where that goes…

Special thanks to…

 

View the GitHub repository

Download and try it yourself

 


    19 thoughts on “No More Passwords* – Log into WordPress using a QR Code

    1. Hello, i’m Julio from BoiteAWeb.fr
      I’m Web Security Consultant.
      I discover a big vulnerability in your plugin.
      I can login with any account, of course like you said “with no password” ;)
      Contact me to get the exploit code:
      [edit: email removed]

      See you

      1. Thanks so much BoiteAWeb!

        I’ve opened up a thread on the WP Forum for discussing security enhancements for the plugin.

        P.S. Saved your email but removed it from the comment to prevent spammers ;)

    2. Hello,
      Not if I’m the first to notice that the qr “No More Passwords” to be stopped.
      It needs some updating?

      1. Hi Oliver, I haven’t been able to recreated the bug. Would you mind sending me more info (here, or via the submission form) like what browser you’re using. Do you have browser extensions. etc. If I can replicate the bug I’ll better be able to fix it.

    3. Sorry to interrupt you. Can you teach me how to do QR code log in? I wanna use this in my graduate thesis project. I searched online for a long time, just no open code for this. Can you reply me through email?

      Thank you soo soooo soooo much!!
      Peggy

    Leave a Reply