Title: Yubikey
Author: Kieran O'Shea
Published: <strong>ମଇ 22, 2008</strong>
Last modified: ମଇ 9, 2025

---

Search plugins

![](https://ps.w.org/yubikey/assets/banner-772x250.png?rev=3288860)

![](https://ps.w.org/yubikey/assets/icon-128x128.png?rev=3288860)

# Yubikey

 By [Kieran O’Shea](https://profiles.wordpress.org/kieranoshea/)

[Download](https://downloads.wordpress.org/plugin/yubikey.1.0.1.zip)

 * [Details](https://ory.wordpress.org/plugins/yubikey/#description)
 * [Reviews](https://ory.wordpress.org/plugins/yubikey/#reviews)
 *  [Installation](https://ory.wordpress.org/plugins/yubikey/#installation)
 * [Development](https://ory.wordpress.org/plugins/yubikey/#developers)

 [Support](https://wordpress.org/support/plugin/yubikey/)

## Description

This plugin dramatically enhances the security of your WordPress website by adding
Multi Factor Authentication (MFA) in the form of One Time Passwords (OTP)
 using
[Yubikey USB Tokens](https://www.yubico.com/). In addition to providing your username
and password to login, this plugin requests an OTP code generated by a Yubikey, 
validates this via an API and only grants access if this check passes. The requirement
to use an OTP can be set on a user by user basis and there is also a feature to 
require users above a certain privilege level to always use OTP.

### External services

This plugin connects to an API to validate the OTP tokens generated by your security
key. This is required because storing the private keys
 on the same web server as
the site you wish to protect would be a security risk.

By default Yubico’s own validation server is employed, although you may setup your
own server and use this instead

The default Yubico API only collects the one time password (OTP) data as provided
by your security key when you login. The service validates this
 and then stores
this token as “used” so it may not be replayed as part of an attack. It does not
collect any other data (such as what URL is being authenticated using the key etc.)

This service is provided by “Yubico AB”: [Privacy Policy](https://www.yubico.com/support/terms-conditions/privacy-notice/),
[Terms of Use](https://www.yubico.com/support/terms-conditions/yubico-website-terms-conditions/)

## Screenshots

 * [[
 * Entering key ID on the profile page
 * [[
 * Client ID & API key and other Yubikey options
 * [[
 * The enhanced login box

## Installation

 1. [Buy a Yubikey](https://www.yubico.com/us/product/yubikey-5-series/yubikey-5-nfc/)
    if you do not already have one that supports OTP
 2. If you want to use Yubico’s cloud validation server, [Create a Yubico ID & API Key](https://upgrade.yubico.com/getapikey/)
 3. Unzip plugin into your /wp-content/plugins/ directory.
 4. Enter Yubico ID & API key on the Settings -> Yubikey options page
 5. Enter Key ID on the Users -> Profile and Personal options page. The Key ID is the
    first 12 characters produced when your Yubikey
     generates an OTP – these remain
    constant and are used to identify your key with the validation server

## FAQ

### Where can I learn more about how Yubikey OTP works?

Please visit the [Yubico OTP Webpage](https://www.yubico.com/resources/glossary/yubico-otp/)

### How much does the Yubikey cost?

There are a variety of keys available, but the cheapest key that will work with 
the OTP model currently retails at $50. You can find
 information on this key by
visiting the associated [Yubico Product Page](https://www.yubico.com/us/product/yubikey-5-series/yubikey-5-nfc/)

### Can I use my own validation server?

While setting up such a server is beyond the scope of this FAQ, yes you can. Simply
put the URL of your validation server in
 the “Private Validation Server API URL”
field on the Settings -> Yubikey adin page. Remember to update the ID and API Key
fields to a pair that is supported by your server.

### Does the plugin force OTP use by all users?

No, unless you set the “Profile from which OTP is mandatory” setting, in which case
users with this permission or above will need an OTP
 to login. If you enable this
feature it is critical that all users on your site who hold this permission profile
or above have already setup OTP in their profile, otherwise they will be locked 
out of the site! All other users will only require an OTP if they set one up in 
their user profile.

### What is the “Allow XML-RPC login below profile” setting for?

When a user enables OTP in their profile, they will be unable to login to WordPress
using the XML-RPC API (most commonly known as the method
 by which the WordPress
smartphone app accesses WordPress sites). If you enable this setting, users below
this permission level will be allowed to login via XML-RPC (the WordPress app) without
use of an OTP (the app does not support use of OTP or supplemental login fields).

### I enabled OTP on my profile and now I’m locked out of the site, can I get back in?

Of course; just rename the yubikey plugin directory in wp-content/plugins/ and the
plugin will automatically be disbaled. With the plugin disabled
 you will be able
to login with just your plain username and password.

## Reviews

![](https://secure.gravatar.com/avatar/87fac898620a3bed66cb70784fbb40a314e0f9a307628443a904b134fa84f043?
s=60&d=retro&r=g)

### 󠀁[Reviews welcome](https://wordpress.org/support/topic/reviews-welcome-2/)󠁿

 [Kieran O’Shea](https://profiles.wordpress.org/kieranoshea/) ମଇ 10, 2025

Calling all regular Yubikey users! If you haven’t done so already, please take the
time to review the plugin here If you have a problem, issue or question, please 
post in the forums first before rating the plugin negatively – most things can be
sorted out either through communication or a new release!

 [ Read all 1 review ](https://wordpress.org/support/plugin/yubikey/reviews/)

## Contributors & Developers

“Yubikey” is open source software. The following people have contributed to this
plugin.

Contributors

 *   [ Kieran O’Shea ](https://profiles.wordpress.org/kieranoshea/)
 *   [ Henrik Schack ](https://profiles.wordpress.org/henrikschack/)

[Translate “Yubikey” into your language.](https://translate.wordpress.org/projects/wp-plugins/yubikey)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/yubikey/), check out
the [SVN repository](https://plugins.svn.wordpress.org/yubikey/), or subscribe to
the [development log](https://plugins.trac.wordpress.org/log/yubikey/) by [RSS](https://plugins.trac.wordpress.org/log/yubikey/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 1.0.1

 * Added restriction so plugin file cannot be accessed directly
 * Added a description in the readme file that explains the use of the external 
   Yubico validation service

#### 1.0

 * Forked from [“yubikey-plugin” by Henrik Schack](https://wordpress.org/plugins/yubikey-plugin/)
 * Updated Yubikey API support to version 2.0
    ** Inclusion of nonce field ** Upgrading
   to HTTPS ** Enabled support for hash validation of the request as well as the
   response for greater security
 * Added support for self-hosted validation server
 * Configurable “minimum permission” that can bypass use of OTP, for example, if
   you’re an admin you must use OTP, a subscriber need not
 * Optional restriction on ability of users above a certain access level from accessing
   the XML-RPC API
 * Ensure that OTP requirement is bypassed when logging in via the XML-RPC API
 * POT file updated with changed language strings (bundled translations from fork
   remain but will require updating)
 * Ensured plugin passes all requirements of the WordPress Plugin Check (PCP)

## Meta

 *  Version **1.0.1**
 *  Last updated **12 months ago**
 *  Active installations **40+**
 *  WordPress version ** 5.2 or higher **
 *  Tested up to **6.8.5**
 *  Language
 * [English (US)](https://wordpress.org/plugins/yubikey/)
 * Tags
 * [login](https://ory.wordpress.org/plugins/tags/login/)[MFA](https://ory.wordpress.org/plugins/tags/mfa/)
   [otp](https://ory.wordpress.org/plugins/tags/otp/)[security](https://ory.wordpress.org/plugins/tags/security/)
   [yubikey](https://ory.wordpress.org/plugins/tags/yubikey/)
 *  [Advanced View](https://ory.wordpress.org/plugins/yubikey/advanced/)

## Ratings

 5 out of 5 stars.

 *  [  1 5-star review     ](https://wordpress.org/support/plugin/yubikey/reviews/?filter=5)
 *  [  0 4-star reviews     ](https://wordpress.org/support/plugin/yubikey/reviews/?filter=4)
 *  [  0 3-star reviews     ](https://wordpress.org/support/plugin/yubikey/reviews/?filter=3)
 *  [  0 2-star reviews     ](https://wordpress.org/support/plugin/yubikey/reviews/?filter=2)
 *  [  0 1-star reviews     ](https://wordpress.org/support/plugin/yubikey/reviews/?filter=1)

[Your review](https://wordpress.org/support/plugin/yubikey/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/yubikey/reviews/)

## Contributors

 *   [ Kieran O’Shea ](https://profiles.wordpress.org/kieranoshea/)
 *   [ Henrik Schack ](https://profiles.wordpress.org/henrikschack/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/yubikey/)

## Donate

Would you like to support the advancement of this plugin?

 [ Donate to this plugin ](https://www.kieranoshea.com/)