Are you tired of having to remember 64 billion different username and password combinations to all the WordPress sites you run? Are you fed up with having to type them in (or opening LastPass and choosing them) and mistyping one or more parts? Digi-ID On WordPress might be what you’re looking for.
Are you fed up with 2 Factor Authentication when you have to open your phone, choose the right site, remember the 6 digits (OK, not that hard in the grand scheme of things but still) and then go back to the site and type them in.
How about all those traffic lights and crosswalks. What about Mountains and Buses… I hate them.
Digi-ID solves this problem in an elegant, easy to use, easy to set up and above all, secure way.
What Is Digi-ID?
OK, first up, I am not a cryptocurrency expert. I can not explain all the intricacies of the blockchain to you. The mathematics of it all is way beyond my limited brain. I can calculate dosages of Midazolam at 4am in the morning, but cryptography, not so much.
But what I do know is that Digi-ID is built on top of the DigiByte cryptocurrency blockchain. This means it’s an open source, secure system that multiple machines around the world take part in to form a network of computers all ensuring the security of the system.
And because this network is safe, secure and fast and can have information stored within it that is not specifically about crypto-currency but can have other transactional data stored securely too – we can use that blockchain to communicate securely from one device to another, across a known medium with known (and easily available) mechanisms.
And DigiByte’s blockchain is considerably faster to update than that of Bitcoin’s. This fact is important for a number of reasons, but specifically relating to Authentication systems we wouldn’t want to be waiting for minutes or longer to gain access to a system we’re trying to login to.
Why Use Digi-ID on WordPress Sites?
There’s a number of reasons why you’d want to use Digi-ID on your own WordPress sites;
So, Digi-ID is a way of using the blockchain of DigiByte to authenticate yourself to software applications, such as WordPress. It’s secure because it uses keys that only you have in your possession, so no-one can pretend to be you. It’s all encrypted, so no-one can see your keys. And no usernames or passwords are transmitted to your site, so it reduces brute force attacks too.
Because it already uses your phone to perform the actual identification for your account, it has the 2 factor authentication built in automatically. Someone cannot login to your site unless they have access to your phone, and can use your fingerprint or know your PIN.
Since Digi-ID uses the DigiByte blockchain network, it’s quick. DigiByte is 40 times faster than the Bitcoin blockchain, meaning that it’s far better suited for smaller, quick transactions. No-one will mind waiting 20 minutes for a large transaction (such as buying a house, boat or car) but when it comes to buying a coffee or an ice cream, no-one will wait in the queue for 20 minutes for the transaction to settle. Similarly, no-one will wait 20 minutes to get logged in to a website. With Digi-ID the process takes mere seconds.
Disadvantage To Having Digi-ID On WordPress
In my conversations around Digi-ID on Reddit and Twitter (after I caused a stir by saying I’d already added it to my WordPress sites) there were only 2 disadvantages that were presented to me. The latter one is not really an issue when it’s your own websites that you’re logging in to.
The first disadvantage is that you must have your mobile phone with you when logging in to your WordPress website. You probably do anyway. And if you have any 2FA setup then you’ll need your phone too – but in that scenario you have a lot more typing to do first, and potentially needing to open your LastPass password manager too. Cumbersome. Having your phone near you is a small niggle in my opinion.
The Man In The Middle Phishing Attacks, I read about it on Twitter because someone said it was a significant weakness in Digi-ID. I don’t buy it. The report goes on to say that usernames, passwords and 2FA all share the same vulnerability – so I’m not sure why Digi-ID should be singled out as insecure when literally all existing technologies for logging in to systems suffer the same issue. And it’s literally a non issue for logging in to your own WordPress sites anyway because if you’re going to click a link that you think is your own WordPress site that arrived unannounced in an e-mail then you’ve got some serious head scratching soul searching to do about your own computer security 🙂
So, those 2 ‘disadvantages’ are largely non-issues. I’d be interested to hear if anyone can come up with other reasons not to use Digi-ID on WordPress?
How To Install Digi-ID On WordPress
This is probably the bit you came for isn’t it. The rest is just my ramblings, for which I apologise.
Setting up Digi-ID on WordPress is trivial. Like, one of the most simple WordPress tasks I’ve done. If you can install a plugin, you can install Digi-ID. Now, of course, this means that you’ll need to be the administrator of the WordPress site as opposed to just a user or editor. You may also need to have the ability to install PHP modules on your server.
Ensure SSL is Setup Properly
If you’re not using SSL on your website these days you probably ought to stop reading right here and go and fix that first. I’m not going to go into how to do that because it varies so wildly between different hosts and if you’re self hosted (ie, on a VPS) it’s a different kettle of fish altogether potentially. If you’re not on SSL you need to get it sorted because it’ll be hurting your rankings on Google and it’s just not secure.
Have a quick Google for SSL on your-webhosting-provider or at the very least, look up LetsEncrypt.
Digi-ID on WordPress will not work if you don’t have a valid SSL certificate in place.
Ensure PHP-GMP Is Installed
According to PHP.Net, this module allows PHP code to use arbitrary length integers using the GNU MP Library. That’s a lot of technobabble for basically saying it allows PHP to use massive numbers. I think. It sort of stands to reason, since cryptography involves large numbers.
Nevertheless, your hosting provider needs to support this module in order for you to use it. If it’s not installed you cannot use it. Some providers use a control panel that allows you to install other PHP Modules and some don’t. You’re going to need to do a bit of digging I’m afraid.
I’ve created a list at the end of hosts which support GMP and which don’t but I’ll need some user feedback to help keep it up to date if you don’t mind!
Navigate to Plugins
Login to your WordPress admin dashboard and click the Plugins menu, then click Add New.
In the search box, type Digi-ID and at the time of writing, this will be the only plugin that is found. The image below should give you an idea of what you’re looking for;
Once you’ve found the right plugin, you can click on Install Now and then Activate. Be aware that the plugin hasn’t been updated for some time – not because it’s no longer maintained but because there’s no updates been needed. It still works on the latest WordPress, I’m using it here.
There is nothing to set up with the plugin itself. But you will need to activate Digi-ID for your account.
Setup Your WordPress Account To Accept Digi-ID
So, now that the plugin is installed, you’re going to need to setup your account so that you can login with Digi-ID.
For this you will need a Digi-ID capable app on your phone. For that I highly recommend the official Android or iOS DigiByte wallet – which you can grab by visiting the official DigiByte website. I’m not going to link directly to the apps, even though it would be convenient because they may move and I want to ensure you go to the official DigiByte wallets.
The Digi-ID app is built in to the main wallet. I’m not going to go through how to set up the Android wallet though, there’s plenty of tutorials on the web for that, including on the official website.
You want the little fingerprint icon on the right for Digi-ID.
If you’re going to get into DigiByte do yourself a favour and make sure you learn how to keep your DigiBytes secure and prevent your wallet from being hacked. This means making sure the 12 seed words when you create your wallet are never typed into any website. Again, I’m not going to give advice here, do your own research please.
Now that you have the DigiByte wallet on your smart-phone, go back to WordPress. Under the Users menu on the left you should now see a new option called Digi-ID.
Clicking the Digi-ID item will take you a screen that looks like above. Click the Add New button to link your DigiByte wallet with your WordPress account. When you click the button you’ll be presented with a QR code, as you can see below. Open the Digi-ID app on your smart-phone and scan the QR code. Shortly after you do that, you should see the WordPress QR code flash briefly with a green tick and then the screen will switch to look like the one below;
I’ve blurred out the Digi-ID address because it’s the address associated with my login and so there’s the possibility, I think (but don’t know!) if someone else gets hold of that address then they could perhaps login as me? Someone with more intricate knowledge of Digi-ID could tell me if that’s true or not? Come to think of it, it’s probably not enough just to have that address, you’d also need my wallet keys…
Once you’ve done that, log out and test it.
Logging In To WordPress with Digi-ID
And once you’ve logged out, you should see a login screen that looks semi-familiar when you try to login. But now, you’ll also be presented with a Digi-ID QR code. Open your DigiByte wallet and scan that QR code using the Digi-ID section within.
Within about 5 seconds you should see a green cross flash briefly over the Digi-ID QR code and then you’ll be switched to the WordPress dashboard, logged in and ready to work on your WordPress site. No typing of username or password. No 2FA needed.
Digi-ID makes logging in to your WordPress site easy, quick and secure. And it’s time for other big name websites to start using it too. If I could login to Amazon, Microsoft or my bank without needing to type my username and password and then getting the constant barrage of SMS, 2FA or ‘Is it really you?’ my life would be so much better.
Scan a code, gain entry. That’s the 2021 way. Let’s leave the 20th Century password behind. Please!
Once you have tested your Digi-ID login works, you need to do one last step to make your account a little more secure.
To reduce the risk of brute force attacks on your password, you should now go ahead and change your password to something ridiculously long and ridiculously complicated. You’ll not need to remember it unless you somehow lose your DigiByte wallet. And then you’ve probably got bigger problems to worry about!
At the moment there appears to be no way to turn off username and password logins. I feel this would be an excellent ‘tickbox’ for the plugin, such that if everyone on your WordPress site has Digi-ID who needs to be able to login, then disabling username and password logins would make it better still. The plugin is open source, maybe I’ll have a look, or drop the author a line.
Appendix 1: Web Hosts That Can Support Digi-ID
So, from the paragraph above about PHP-GMP, it stands to reason that if you’re on shared hosting or managed WordPress hosting you’re going to need for them to have installed the PHP-GMP module and the associated dependencies. With this in mind this is a non-exhaustive list of web service providers who do support php-gmp and should therefore be able to support you installing the Digi-ID WordPress plugin.
In the list below I have marked how I have been advised about their compatibility. I can only personally vouch for the ones that I have tested myself – though there is absolutely no reason to believe any of those who’ve said they support it would actually not.
It’s worth saying that if you’re on a VPS with someone like VULTR (or Linode, or Digital Ocean) then of course you have control of your own environment and can install PHP-GMP. So all VPS solutions where you have root access will be compatible.
Appendix 2: Web Hosts That Currently Can NOT Support Digi-ID
The above lists are likely to be quite fluid. Please do your own research by asking the companies in question on their sales channels. I will try to keep it up to date as new information becomes available to me but I can’t guarantee to be precise.
If you own or operate any of the above hosts (or another hosting provider) and something has changed please do get in touch. You can tweet me @stevna and let me know. You can also leave a comment on this post to let me know too.
Some nice people have asked where they can donate some DGBs to me for producing this article. You don’t have to at all, but of course it is appreciated if you do want to 🙂
DGB Address for donations (if you want): DRZ7kYRZzFUxM4hyPZMfXLmxyp2xN1ZsCp