Enabling 2FA in DokuWiki

I’ve been doing a bit of a personal security audit lately, and updating/resetting passwords and adding 2FA wherever I can. One of the things I was pleasantly surprised to see is that DokuWiki made it fairly straightforward to add 2FA to my wiki.

The work to enable this was done by plugin developer Michael Wilmes, and involved installing a number of plugins that Wilmes developed.

  1. First, using the DokuWiki extension manager, install the Attribute plugin.
  2. Next, install the Two Factor Authentication – Core Plugin. As the title suggests, this installs a 2FA framework within DokuWiki.
  3. Finally, install any of the five 2FA modules. There are ones for email, an alternate email, Google Authenticator, and SMS.

I was only interested in the Google Authenticator plugin module. After installing it, it worked like a charm. My login page now looks like this, and will not let me login without the 2FA code:

DokuWiki 2FA-enabled Login Page
DokuWiki 2FA-enabled Login Page

Usability Study of Yubikeys

In the YouTube video below, Joshua Reynolds presents at the IEEE Symposium on Security and Privacy about a couple of usability studies he and others conducted testing the usability of configuring and using Yubico’s Yubikey two-factor authentication security keys.

The full usability study can be found on the IEEE website. From the study’s abstract,

Two-factor authentication (2FA) significantly improves the security of password-based authentication. Recently, there has been increased interest in Universal 2nd Factor (U2F) security keys-small hardware devices that require users to press a button on the security key to authenticate. To examine the usability of security keys in non-enterprise usage, we conducted two user studies of the YubiKey, a popular line of U2F security keys. The first study tasked 31 participants with configuring a Windows, Google, and Facebook account to authenticate using a YubiKey. This study revealed problems with setup instructions and workflow including users locking themselves out of their operating system or thinking they had successfully enabled 2FA when they had not. In contrast, the second study had 25 participants use a YubiKey in their daily lives over a period of four weeks, revealing that participants generally enjoyed the experience. Conducting both a laboratory and longitudinal study yielded insights into the usability of security keys that would not have been evident from either study in isolation. Based on our analysis, we recommend standardizing the setup process, enabling verification of success, allowing shared accounts, integrating with operating systems, and preventing lockouts.

Yubikey 4C Nano

I have Yubico’s FIDO key enabled on all the accounts I have that utilize it. I have two primary laptops I use most days, and I bought Yubikey 4 Nano keys for both of those.

But I ran into a bit of a problem when I decided to add a Chromebook as a secure, ultraportable device. I ended up buying an ASUS Chromebook that only had USB-C ports.

Fortunately, Yubikcorecently released a USB-C version of┬áthe Yubikey 4 Nano. It’s a bit expensive at $60, but it has a very low profile on the Chromebook and works without any issues.

Yubikey 4C Nano

Yubikey 4C Nano

Yubikey 4C Nano
Yubikey 4C Nano

My Nintendo Account Is Now Safer Than My Bank Account

On September 22, 2017, Nintendo released two-factor authentication for Nintendo accounts. The system uses Google’s 2FA system (so it would also work with the LastPass authenticator, which is what I generally use).

So at this point, my Nintendo account is more secure than my bank account. My bank doesn’t offer any form of routine 2FA, despite me constantly harassing them about adding it.

And really, even 2FA isn’t good enough when it comes to banking. There’s no reason banks and credit unions shouldn’t offer their customers the option of using U2F.

Google Authenticator Plugin for WordPress

Google Authenticator is a plugin for self-hosted WordPress installs that lets you require Google’s Two Factor Authentication application for access to WordPress.

I’m currently using it on this blog and have to enter a numerical code from the Google Authenticator on my phone very time I login to the admin area. The setup was trivial and it has worked like a charm.

The only drawback is that this renders your blog inaccessible from programs that are not set up to prompt you for a Google Authenticator code, such as the WordPress mobile apps for iOS and Android.