Keyy: A Detailed Overview & Review

Posted on May 22, 2018 by in Resources | 23 comments

Keyy: A Detailed Overview & Review

WordPress is everywhere. We’re closing in on being a full one-third of the internet, and that’s amazing. But with that ubiquity comes a number of problems, one of the primary being security. WordPress gets hit hard by hackers and spambots and all sorts of malcontents. Recently, brute-force attacks on new WordPress installations have risen exponentially, and as the CMS grows, the attempts at hijacking it will only grow, too. Enter, Keyy.

Keyy is a two-factor authentication (2FA) app/plugin that does its best to do away with the annoying aspects of other 2FA methods: usernames, passwords, and authentication tokens. Keyy boasts that it can do away with all of that by using RSA public-key encryption — from your phone.

Can You Really Login from Your Phone? How?

That’s what you’re thinking, right? How is this even possible? Well, it works very similarly to how you connect your Netflix or Hulu account to your Roku or PS4. Using public-key encryption (the same kind that your websites are secured with via SSL), the plugin and the app you download communicate directly with one another, not using usernames and passwords, but authentication hashes that either appear as a “Keyy Wave” or QR Code.

How It Works, In Practice

Getting set up with Keyy is actually pretty simple. You head over to the app store of your choice (I’m an Android guy, so that’s what these shots are of) and download the Keyy app. It’s free, so don’t worry. There is a premium upgrade I’ll touch on later, though.

Keyy Login App and WordPress Plugin

Once that’s done, open the app, and you will be greeted by the simplest sign-up process that I have ever seen. Just an email field. I mean, after all, why would an app that wants to do away with usernames and passwords want you to sign up with a username and password?

Keyy Login App and WordPress Plugin

When that’s submitted, you get the handy-dandy verification email asking you to click a link to prove that you’re you. That’s standard. After that, you create a 4-digit pin number. That’s going to be one way you log into the app (the other being your fingerprint or other biometric data, depending on your phone).

Keyy Login App and WordPress Plugin

When you validate your email and set up your pin, you can log into the Keyy website, and you’re presented with your Keyy Wave. Just scan the screen with the app to get access to your Keyy account.

Keyy Login App and WordPress Plugin

The App Itself

The first time you open up the app, it’s empty. But it prompts you to add your first site. To do that, however, you need to have installed the Keyy WordPress plugin on your site. That part isn’t terribly well documented or messaged at all in the app. I just knew you had to do it. There is a “How to use Keyy” menu item, but it takes you to the external FAQ that is again, not terribly easily navigated.

Keyy Login App and WordPress Plugin

It’s only a couple of clicks, though, and no setup other than activating the plugin has to be done. You get a new menu item called Keyy Login that has the QR code you need to link the app to your WordPress site.

Keyy Login App and WordPress Plugin

The moment you wave that app in front of the screen, and it catches a glimpse of that code, your page refreshes. Your password is no more, and instead you’re ready to login with…the future!

Keyy Login App and WordPress Plugin

But…Does It Work?

Of course the first thing I did was log out of my account to see what my login screen looks like now. I was not disappointed.

Keyy Login App and WordPress Plugin

And since I had LastPass keeping my username/password fields ready, I figured I’d hit the big blue button and see exactly what Keyy would do if a login attempt with valid credentials was made without it.

Keyy Login App and WordPress Plugin

Good. It locked me out. So I opened up the Keyy app, and it authenticated my fingerprint immediately, and I was able to see the site I had just registered with a Scan to Login button immediately present.

Keyy Login App and WordPress Plugin

And when I pressed it, I barely got the Keyy Wave inside the brackets before I was brought to my WP dashboard (the same happened with the QR code). It was pretty fancy, and went very smoothly.

Contingency Plans

The app works, and it’s great. But apps fail. Or we lose our phones. Our nieces and nephews accidentally delete apps. Whatever. So let’s say that we have the worst happen and now we have to get back into our WP installs. Never fear. As long as you’ve backed up your private key, you’re good. RSA encryption is a double-edged sword in this case. Because of how the encryption keys work, you’re incredibly safe from anyone unauthorized getting access. As long as you have the private key that unlocks your site (which is held in your app).

Encryption: Private and Public Keys

There is just one combination of characters that can unlock the site. When you linked your site, two strings of characters were created, a public key and a private key. They probably look something like this, which is the 256-bit encrypted version of the password ElegantThemesDivi1337!?

EnCt23d17eb3962c35a3b9b681fd2ee764b5f5f49df5b3d17eb3962c35a3b9b6
81fd2bRvzmeU/KwNQuaot+1oDcZxlp3/K+i/1Ns+yplDFw6u/Lc2AnA==IwEmS

A little bit harder to break, right? Now, the public key string like this is what your Keyy Wave and QR Code hold. It’s open to the public. It’s basically a jigsaw puzzle piece waiting for its partner. Anyone can see this one. It’s public. It’s basically meant to be shared. Which is why you can have it safely on the login page of your site.

Because there is only one way to get into it. The other string of characters — your private key. That’s in your app. When you scan the code or wave, the two strings are matched up, and if you have the correct private key, you’re in. Congrats. Without it…good luck breaking the code.

So you need to make sure that you never lose the private key. Luckily, Keyy tells you to back it up the very first time you log into the app after connecting a site.

Keyy Login App and WordPress Plugin

Since my phone runs Android, I clicked the button, and the private key saved to my phone’s SD card as a .json file. Afterward, I just uploaded it to Google Drive.  I got a notification when it was downloaded, too. On iOS (I presume) you have the option of iCloud, OneDrive, or Google Drive, etc.

Keyy Login App and WordPress Plugin

I can now restore the app at any point with that file. If I were using Keyy for my main login across all my sites, I would probably store the private key not only on my phone’s drive, but also a USB drive and Dropbox, too.

Premium Plans

On the free plan of Keyy, you get enough for normal users and small businesses. You get 5 installs and users. You’ll get some ads here and there. But if you choose to buy one of the premium plans, you get a few added features.

Keyy Login App and WordPress Plugin

And while all of them are pretty handy to have and probably worth the upgrade in all honesty — if this is going to be how you secure your sites — the two that are the most important are Stealth Mode and the Multi-Factor Login Options.

Regarding stealth mode, you may just not want your public key being too public. While it’s still perfectly safe to do so, there are lots of baddies out there on the web, and they’ll try to hack their way into your system. If you have a premium Keyy account, you can make sure only you and yours have access to the QR code or Keyy Wave.

And for the login options, you can also require the password in addition to the Keyy app. Things like that. You just get more control over what you can do with your site, which I don’t see as a bad thing.

Plus you get more sites and users for those sites who can use Keyy, depending on your upgrade tier. That may or may not apply to you. But if you run a big team, it’s a consideration for sure.

Final Thoughts

I wasn’t quite sure what to expect when I dug into looking at Keyy. When I saw the animation on their homepage that depicted a phone just waving by a monitor and logging in, I was skeptical. I hate keeping NFC turned on, my main PC doesn’t even support NFC, and I was thinking to myself…how does this work with NFC anyway? (It doesn’t. NFC had nothing to do with it, but that was the only way I could see a wave working.)

But I was wrong. All it really does take is a wave in front of your monitor to log in. Keyy has the fastest code recognition of any app I’ve ever used. I wish other apps would license whatever they’ve done because it make code scanning downright pleasant to use instead of “eh, it works well enough.”

If I ran a site that needed 2FA, I’d definitely be looking at Keyy. It may not be the solution for everyone, but there’s enough here already to show that the foundation they’ve laid in version 1 (and yes, this is still version 1) is strong enough for them to build an even more solid product in the future.

Besides, using an app sure beats clicking on never-ending grids of cars, storefronts, and street signs.

What method of two-factor authentication do you use for your sites?

Article featured image by Titima Ongkantong / shutterstock.com

23 Comments

  1. I recently started using DUO, which has a free plan for up to 10 users, and a free WordPress plugin. Might be worth checking too.

  2. While I like the concept of a second factor in the authentication process (as a web host I know that compromised credentials are an issue) I will say that nearly all that add a second factor end up ditching it. Invariably, it works well for a while and when it all breaks down (and it will, it always does) folks are happy with a repair they want it gone.

    For critical sites (like those with ecommerce), we recommend setting up your wp-admin directory as a password protected area (this can be done with the Directory Privacy feature in your cPanel interface) and this is an effective second factor that is rather immune to issues eventually caused by WordPress plugin and core updates.

    To save anyone headaches, once you set up your wp-admin as password protected you may also want to add this to your .htaccess file in your wp-admin directory:

    Order allow,deny
    Allow from all
    Satisfy any

    Order allow,deny
    Allow from all
    Satisfy any

    Order allow,deny
    Allow from all
    Satisfy any

    The above is intended for those hosting using Apache2 in a linux environment. Please check with your web host to see if the code is valid for your environment. The code which will sit below the Authentication code added by the cPanel Directory Privacy and will ensure that css, gif, png, and js files can load from that area for anyone.

  3. Can the Keyy app also handle generating traditional 2FA login keys so it can eliminate the need to also use Google Authenticator or Authy?

    • No – Google Authenticator is fine at doing that. The point of Keyy is to eliminate the need to type codes to make two factor login smoother.

  4. I’ve been using Keyy for some months in a couple of websites and, well, it just works. Nothing to type, apart from the pin when you open the app, very straightforward.

  5. Nice! How does it work if you are not the only WordPress user. So let’s say I am the admin, but there are also editors and authors? How do they link the app on their phone with their WP user?

    • That’s something I need to find out too. Also, what happens if you do get locked out of your site, how hard is it to get back in?

    • All they’d need to do is:

      – register the app with their WP user email
      – login to the WP site using this email & password
      – scan the QR code

      Then it’s setup. In future, they just need to scan the code when they login.

      • Apologies – the previous reply I posted was for the below comment.

        Thanks for your feedback!

        Joe (member of Keyy team)

  6. Yes, looks nice if you are just one person who log in as an admin sometimes…
    But if you have a website where you have a restricted content and already thousands subscribers who signed up to see this content?

    If you have an active login feature on the website, Keyy will not help to have it protected against hacking.

    • Keyy is designed for any user who wants to login. All they’d need to do is:

      – register the app with their WP user email
      – login to the WP site using this email & password
      – scan the QR code

      Then it’s setup. In future, they just need to scan the code when they login.

  7. How secure is key compared to just changing the url of your WP login page, changing the default “admin” username and using a really strong password?

    • Good question – what you suggest doesn’t protect against phishing intercepts and key logging attacks – a growing phenomenon. Plus typing a really strong password takes time unless you use a password manager which are frequently hacked (unless you protect that with 2FA also).

      Two factor authentication like Keyy is ultra-secure as only someone with your phone can login.

  8. Still not as good as our friend Clef!

    Clef was much better in every way, and didn’t cost an arm and a Clef to drop into a few sites ans assure they’d be secure.

  9. Once you’ve installed this, can you log into your website on your laptop, without using your phone? and if you log in with your phone, can you then access the site on your laptop? I can’t build a website on my phone.

    • Hi Jim,

      1) You can log into your website on your laptop without using your phone. Keyy has a secret url that you can use which will allow you to use a regular username and password to login

      2) You can login on your phone as well as multiple laptops/desktops at the same time.

      3) Keyy also has a logout feature that will log you out of everywhere you signed in with a single click.

      Hope that answers your questions

    • Yes – the app securely logs you onto your WP site on your computer / laptop.

  10. I’m quite content with mini orange as my 2fa and use it with Google Authenticator from my iPhone! In addition, I always rename my wp-login to something that traditional hackers won’t be able to figure out, and if they do by some chance, then they’ve earned their access!

  11. I don’t own a cell phone. Edie’s suggestion looks interesting.

  12. Looks like a nice app but wouldn’t it interfere with anyone trying to register for the site?

    My host has a simple pre-login, login screen to stop brute force attacks that works very well. You just enter your credentials and you go to the login / register screen. No plugins necessary.

    Prior to hitting the login / register page they are sent to a short page explaining the how and why of it.

    Works great.

  13. A nice Security app for WordPress, but would want to test it out on one of my test sites first before I would go ahead to business sites.

  14. This is how it works in wechat (Chinese messanger) last 5 years

  15. If I lose my phone or don’t have it with me, can I just use an FTP client to disable the plug-in and then use my username and password?

    Does this prevent database lookups so brute force attacks don’t use server resources?

Leave a Reply

Comments are reviewed and must adhere to our comments policy.

500,591 Customers Are Already Building Amazing Websites With Divi. Join The Most Empowered WordPress Community On The Web

We offer a 30 Day Money Back Guarantee, so joining is Risk-Free!

Sign Up Today

Pin It on Pinterest