Security Notice: Authy Plugin for WordPress 4.5
In April of 2016, WordPress released version 4.5 and introduced a new feature whereby you can login with both the username and the email. In previous versions it was only possible to authenticate with just username.
As a result of this new capability, it exposed a problem with how the Authy WordPress plugin worked. If you had version 2.5.5 or below of the Authy WordPress plugin with version 4.5 of WordPress, then two-factor authentication configuration for a user was ignored when they authenticated with email and password. Use of email instead of username was added by WordPress with no clear communication and set on by default with no means to turn it off. Two-factor authentication configuration for a user was still enforced if they authenticated with username and password.
Authy was made aware of this issue through internal testing and we have not received any communication from customers using this integration. As soon as we understood why 2FA for a user was being ignored, we quickly took steps to fix our integration. Once we had the required software changes in place, we put the Authy WordPress plugin through rigorous testing and a security review. After passing both, we published the update on June 27, 2016 to the Authy GitHub repository and the WordPress.org Subversion repository.
If you are using the Authy WordPress plugin, please update. The upgrade process is simple. First, go to the “Plugins” section and select the upgrade option for the Authy plugin.
The upgrade will be complete when you see the following.
We are making changes to our release process to be more detailed in examining WordPress releases for changes to login flow.
We have no reported instances of this issue causing a security incident for our users. As always, we are committed to working with the WordPress community, outside security experts and the information security community to ensure transparent, rapid response to potential vulnerabilities. If you have any questions or concerns about this vulnerability, the security of your WordPress installation or your account, please contact us at [email protected].