I have recently stumbled upon the plugin PhoneFactor has for WordPress and decided to give it a shot, knowing the idea behing the PhoneFactor authentication model. The install was smooth, since WordPress does a good job on integrating installing plugins into the admin panel. There were a few issues that I hit once it was installed, but they were mainly caused by my own customizations to WordPress to force SSL on the admin panel and some other security enhancements.
If you are like me and rely heavily on SSL for the admin area, you might already know and be frustrated by the busted defaults for most plugins. In their defense, it is a WordPress issue, since their built in functions return http based URLs instead of https when hosted over SSL. I believe this is being addressed in 3.0, but so far I’ve had to patch each new release of WP to get safety, but I digress.
The only issue with the plugin itself is that it reported the username I picked as used, even though it was not. You can safely ignore this or if you want to do it right, apply the following patch:
---< @@ -171,6 +171,7 @@ pf.testNumberCompleted = function(data) { CURLOPT_POST => true, CURLOPT_POSTFIELDS => $post, CURLOPT_RETURNTRANSFER => TRUE, + CURLOPT_SSL_VERIFYPEER => false ); $curl = curl_init(); foreach ($curl_options as $option => $value) curl_setopt($curl, $option, $value); ---<
With that taken care of, one can sign up for an account right from the plugin. Once it is all said and done this plugin is AWESOME. Now I can actually authorize each login to my blog and ensure that even if someone were to get their hands on my password, they won’t be able to login to the blog. And the best part is that the call feature is actually free!
Thanks PhoneFactor for a great plugin!