Tag: authentication

WP YouTube Lyte and YouTube API v2 end of life

January 27, 2015 by futtta

The YouTube API v2 is now officially to be shut down soon after April 20th. That’s bad news for WP YouTube Lyte, which uses this version of the API to perform unauthenticated read-only requests to fetch a.o. video title and thumbnail information (example here). The v3 API is supposed to simpler yet more powerful and migrating should not be a big problem, except for that little detail that v3 doesn’t allow unauthenticated requests at all. So I’ll need to add authentication (via an API key) to the mix, leaving me with the dilemma of having to choose between these approaches, none of which I really like:

Tell WP YouTube Lyte users to get their own API key and have them enter it in the plugin’s settings-page. Risk: upsetting users who all of a sudden have to get an API key (“huh, what key?”)
Get an API key myself and hardcode that in WP YouTube Lyte. Risk: abuse of that key (and neither a server key nor a browser key is applicable really), reaching limits, being denied access.
Create and operate a proxy application that sits between the v3 API and each and every WP YouTube Lyte instance, taking care of authentication with an API key. Risk: having to write & install that proxy application, making sure it is available 24/7 (it’s a single point of failure) + obviously the same abuse-risk as in (2).

No, I’m definitively not happy … 🙁

And now you can even have my WordPress password!

January 3, 2013 by futtta

Being slightly obsessed with security, I was delighted to discover that two factor-authentication (OTP) using Google Authenticator client is not restricted to Google applications, but is fully standardized and as such can be implemented without dependency on Google services on any system. There is code (off course varying in quality and scope) available for PHP, .NET, Java and Python (and I’m sure there are others).
As you might expect after reading the title, there is a great Google Authenticator WordPress plugin which I installed in 5 minutes time earlier today. For the Drupal-heads; Antwerp-based Attiks have a module that implements Google Authenticator OTP which looks worth checking out as well (and I’m interested in your experiences with it, actually).

You can have my Google password!

November 23, 2011 by futtta

Although web security is something I like to dabble in, I can’t honestly say it always is on the top of my mind. Up until an hour ago, access to the vast amount of information that Google manages for me (including access to my Google Android account) was protected by nothing but a password. A rather strong password for that matter, but it wasn’t entirely random and it has been the same for quite some time now.
As access to important online services such as Google should ideally not only rely on just a password (session hijacking anyone?), I activated Google 2-step authentication. What this means is that access to Google (Mail, Docs, …) is now also limited to authenticated devices. If I try to access Google from another computer, I’ll have to authenticate the device using an SMS-challenge or a code generated by the Google Authenticator application on my Android-phone.
If you’re still unsure about what 2-step authentication entails, here’s a brief intro-video from Google:

Watch this video on YouTube.

So yeah, you can have my password now. Theoretically. If you really insist. But even if I do decide to give it to you, you still won’t be able to access my account. How’s that for peace of mind? And now off to Facebook security settings, to enable login notifications & approvals.