WordPress Goes Passwordless with iThemes Biometric Login

Let’s explore passwordless login for WordPress, a whole new domain the future is heading into.

Passwords will go extinct in the near future. They were meant to bolster security but ended up creating more problems than solutions.

It started with strong passwords, followed by two-factor authentication, adding in extra clicks (read work) nobody wants to deal with.

There is another solution that popped up recently, known as magic links. This will have you enter your username and open the link from the email instead of entering a password.

While it’s safer since you only have to protect the email accounts and leverage that security everywhere else, it’s not the fastest method.

WordPress Passwordless Login

WordPress is simple to use for the average internet user, and all this simplicity comes with an increased security risk. And though you can mandate strong passwords with iThemes Security, the idea is to make it effortless while being secure.

In a nutshell, iThemes Security is a must-have freemium security guard for your WordPress project. It comes as a plugin to help strengthen WordPress security with ease.

While this is an independent guide, it will help if you go through our iThemes Security Pro review first.

In addition to countless features, iThemes Security Pro helps you deploy user-friendly biometric logins to your WordPress website. Ergo, you can use these features with Apple (Touch ID, Face ID), Android (fingerprint, pin, pattern), and Windows (Windows Hello).

If applied, users will have this prompt on the login URL:

This gives you an alternate (and simple) way to log in to the WordPress website.

Understanding Passkeys

This method of logging in via passkeys uses the local authentication credentials we already use with the devices we physically own, like a smartphone or a Macbook.

In addition to being the easiest method to unlock WordPress, this is also the most secure.

For instance, there is a slight chance you can give the username and password to a lookalike (aka phishing) WordPress login page. But there are no such loopholes with passkeys.

Passkeys are supported by WebAuthn, a cryptographic authentication that uses a public and private keypair.

Public keys are stored in the cloud, while private keys reside on your local device. So when you fingerprint on the WordPress login page, it knows it’s really you and sends you into the dashboard.

In this case, all you have to protect is your biometrics compared to the username and password, which a cybercriminal could steal with phishing, etc.

And if it makes it any better, the development of WebAuthn has seen the participation of leading tech giants like Google, Microsoft, Mozilla, Yubico, etc.

In short, it’s safe and robust.

Configuring Biometric Login

Though this method deploys extremely sophisticated security, the application is painless.

First, you need the iThemes Pro subscription.

Subsequently, head over to Security > Settings in the WordPress dashboard side panel. Finally, turn on the toggles for Passwordless Login and Passkeys.

Without the Passkeys, the login would allow for using magic links. But this will be replaced with the Passkeys if you turn this on, unless you turn both on (discussed later in this section).

Now the admin selects the users for this new login policy. This option lies in the User Groups section of the iThemes Security Pro dashboard.

You can either select from predefined user classes (admins, authors, editors, subscribers, etc.) or create a custom batch with the New Group option.

Next, the administrator enforces passwordless login for selected user categories:

Notably, you can use both (magic link & passkey) from the Configure > Login Security tab in the iThemes security.

Now this will prompt the login URL with Email Magic Link or Use Your Passkey:

Clicking the magic link will send a login mail to the registered email address. However, the second method will show an unknown error unless you set the passkey first.

Using Passkeys

The first step for the biometric authentication setup is using the Login with your password, placed beneath the Use Your Passkey button.

As of this writing, I couldn’t find the option to use passwordless with WordPress logins exclusively. So, it’s important to enforce a strong password policy, because a user can still use a weak password otherwise. You can find these options in the User Groups > Features. Besides, the password age can be set at Configure > Login Security > Passwords Requirements.

Once logged in regularly, every user will be prompted to Setup Passkey Login. The Add Passkey will take you to the options based on the local device.

For instance, it sent me to Windows Hello on a Windows 10 PC.

After entering the correct pin, I could log in with just the username and the Windows login pin.

Similarly, one can set up a passkey on Android (or iOS) as well:

Notably, this won’t prompt again if a user opts for the Skip Setup option. In that case, one can set up passkeys in the WordPress user profile section.

Click the Manage Passkeys at the bottom, followed by Add a Passkey to begin the setup.

The Future is Passwordless!

Undoubtedly, it’s the future. Going Passwordless (in WordPress) is the safest and the most hassle-free form of authentication available right now.

While you have to set up passkeys for each device you own, this one-time work is worth it for all future logins.

So this wraps up the biometric login with iThemes Security Pro. Although its free version is good, the features I illustrated are part of its premium plan, which you can subscribe to without any risk with its money-back guarantee.

PS: Backups are crucial for any website, and WordPress projects are no different. Check out how to do this with another iThemes product–Backupbuddy.