外掛說明
Authyo Passwordless Login enables a modern, secure passwordless authentication system for WordPress using email-based one-time passwords (OTP).
Users simply enter their email address, receive an OTP via email, verify the code, and are automatically logged in — no passwords required at any stage.
This plugin is officially developed and maintained by Konceptwise Digital Media Pvt. Ltd. and uses Authyo’s secure OTP authentication services.
Key Features
- Fully passwordless WordPress login using email OTP
- No passwords stored or required
- Secure token-based authentication (single-use, time-limited)
- OTP delivered via Authyo’s secure email service
- Fallback Method: You can set your two-factor authentication app as a fallback method if you have trouble with email OTPs.
- Works with default WordPress login page
- AJAX-powered login flow (no page reloads)
- Automatic dashboard redirect after login
- Enable / disable passwordless login anytime
- Compatible with custom login URL plugins (e.g., WPS Hide Login)
How It Works:
- User enters their email address on the WordPress login page
- Authyo sends a one-time password (OTP) via email
- User verifies the OTP
- WordPress logs the user in automatically using a secure, single-use token
About Konceptwise & Authyo
Konceptwise is the parent company and original developer of this plugin. Authyo is a product developed and owned by Konceptwise that provides secure OTP-based authentication services. This plugin is officially maintained by Konceptwise and uses Authyo to enable passwordless login for WordPress users.
Video Tutorial
How to Use Authyo Passwordless Login
External Services
This plugin connects to Authyo’s external API to send and verify one-time passwords (OTP) for passwordless login functionality.
What data is sent:
– User email address (sent to Authyo API when requesting OTP)
– OTP code (sent to Authyo API for verification)
– Mask ID (returned by Authyo API, used for OTP verification)
When data is sent:
– When the user requests an OTP: Email address is sent to Authyo API
– When the user submits an OTP for verification: OTP code and Mask ID are sent to Authyo API
Authentication Flow:
– After successful OTP verification via Authyo API, the plugin generates a secure single-use token using WordPress core functions
– This token is browser-bound using a hashed User-Agent signature to prevent session hijacking
– The token is stored temporarily in WordPress transients and expires after 5 minutes
– The token allows WordPress to complete authentication without requiring a password
– Token is deleted immediately after verification (single-use security)
Purpose:
– To verify ownership of the provided email address through OTP verification
– After successful OTP verification, a secure, browser-bound single-use token is generated
– The token allows WordPress to complete authentication without requiring a password
– Token-based authentication is fully secure, browser-locked, time-limited (5 minutes), and single-use
Data Storage:
– OTP session data (email, user ID, mask ID) is stored temporarily in WordPress transients (expires after 10 minutes)
– Login tokens are stored temporarily in WordPress transients (expires after 5 minutes, deleted immediately after use)
– No user data is permanently stored by this plugin
Terms of Service:
https://authyo.io/terms-service
Privacy Policy:
https://authyo.io/privacy-policy
Requirements
- WordPress 5.0 or higher
- PHP 7.2 or higher
- An active Authyo account with API credentials
Configuration
Getting Authyo API Credentials
- Sign up for an account at https://authyo.io
- Log in to your Authyo dashboard
- Navigate to your app settings
- Copy your App ID, Client ID, and Client Secret
Plugin Setup
- Go to Settings > Authyo Passwordless Login in your WordPress admin
- Check the Enable Passwordless Login checkbox to activate the feature
- Enter your Authyo API credentials:
- Authyo App ID
- Authyo Client ID
- Authyo Client Secret
- Click Save Settings
Once configured, the passwordless login form will appear on your WordPress login page.
螢幕擷圖
Authyo WordPress Passwordless Login 
Authyo WordPress Passwordless Login Admin Panel
安裝方式
Manual Installation
- Download the plugin files
- Upload the authyo-passwordless-login folder to /wp-content/plugins/ directory
- Activate the plugin through the ‘Plugins’ menu in WordPress
- Navigate to Settings > Authyo Passwordless Login to configure the plugin
常見問題集
-
How does passwordless login work?
-
- Users enter their email address on the login page
- An OTP code is sent to their email via Authyo
- Users enter the OTP code to verify their email ownership
- After successful OTP verification, a secure single-use token is generated
- Users are automatically redirected and logged in to WordPress
- No password is ever required – fully passwordless authentication
-
Can I use this with custom login pages?
-
Yes, you can use the shortcode [authyo_login] on any page or template, or use the PHP function authyo_passwordless_login_form() in your theme templates.
-
What happens if a user doesn’t receive the OTP?
-
Users can click the “Resend OTP” button to request a new OTP code. The OTP expires after 5 minutes (as configured with Authyo). The login token expires after 5 minutes if not used, and is deleted immediately after successful login for security.
-
Is this plugin secure?
-
Yes, the plugin implements multiple security layers:
* Nonce verification for all AJAX requests (prevents CSRF attacks)
* Email address validation and user existence verification
* Secure transient storage for OTP sessions (10-minute expiry)
* Cryptographically secure token generation using WordPress core functions
* Browser-bound tokens: Tokens are validated against a hashed User-Agent to prevent cross-browser replay attacks
* Single-use tokens that are deleted immediately after successful login
* Time-limited tokens (5-minute expiry) to prevent long-term exposure
* Token format validation to prevent injection attacks
* Authentication completed using WordPress core authentication mechanisms
* Replay attack prevention through immediate token deletion and User-Agent signature validation
使用者評論
這個外掛目前沒有任何使用者評論。
參與者及開發者
變更記錄
1.0.3
- Added video tutorial to readme
- Improved Google Authenticator fallback logic to hide on non-existent users
- Minor bug fixes
1.0.2
- Added two factor authenticator as backup method
- Performance improvements
1.0.1
- Performance improvements
- Screenshot addon
1.0.0
- Initial release
- Fully passwordless login with OTP verification
- Secure token-based automatic authentication
- Single-use, time-limited login tokens
- WordPress login page integration
- Custom login shortcode [authyo_login]
- Admin settings page
- AJAX-powered authentication flow
- Immediate dashboard redirect after login
- WordPress.org security compliance
- Replay attack prevention
- Cryptographically secure token generation