Universal Passkeys Integration for WordPress and Drupal

6/22/2023 Jing Gu

WordPress and Drupal are two of the most popular content management systems (CMS) in the world, with over 40% of all websites using WordPress and over 1.5 million websites using Drupal. These CMSs allow users to create and manage websites without any coding knowledge, providing a user-friendly interface for managing the content and functionality of a website. 

While both CMSs are powerful, user authentication remains surprisingly challenging given that passwords and multi-factor authentication are insecure and difficult to manage. You need to make sure only authorized users are able to login to their accounts on your website. Not to mention, you need to ensure that only administrators can login to the backend of your website. 

That's where Beyond Identity comes in. Our new integration guides for Wordpress and Drupal are a simple, secure, and free way to add passwordless authentication to your website. With these integrations, you can log your users in without a password, and you can log in to your own Wordpress and Drupal backend passwordlessly as well. 

Instead of a password, these integrations use a technology called FIDO2 passkeys. Passkeys are currently in use by some of the largest companies in the world including Google, Robinhood, Kayak, and Hyatt. 

Learn more about passkeys here

What can I do with these integrations?

Passwordless registration, login, and recovery 

With Beyond Identity’s CMS integrations, you can eliminate the password for both your users and website administrations. Instead of a password, your users log in with the biometrics, such as fingerprint or facial recognition, equipped on all modern devices. 

Why it matters:

Passwords are a hidden conversion killer. The friction of creating, remembering, typing, and resetting passwords cause users to drop-off and abandon your website which, in turn, hurts your business. According to Google, passwordless user experience (UX) is proven to be 4x more likely to be successful and 2x faster than passwords. This means you can convert more users on your website faster. 

Watch the UX demo video.

Invisible, phishing-resistant MFA

Multi-factor authentication (MFA) is a security feature that adds an extra layer of protection to user accounts. With MFA, users are required to provide two or more factors to login. 

However, not all MFA is created equal. First-generation MFA:

  1. Adds significant user friction. For example, not only do users have to enter a password correctly, they would have to enter a code, tap a push notification, or click an email link. 
  2. Do not protect user accounts from phishing attacks. 

Our integrations offer invisible, phishing-resistant MFA. This means that users can be authenticated with two strong factors without ever leaving your website:

  1. Device biometric
  2. Public-private key pair

Why it matters:

Passwords are easily guessed or hacked, which can lead to account takeover fraud, spam, and unauthorized access to private information. This can put businesses at risk of legal trouble and damage their reputation. By securing your website with phishing-resistant MFA, you protect user accounts as well as access to the backend of your website against bad actors. 

Set dynamic risk-based authentication policies

The Beyond Identity platform provides users with the ability to set authentication policies based on attributes such as what application a user is trying to log into, jailbroken or rooted status of their device, and more. Using these signals, you can allow access for low-risk scenarios, allow with additional verification for medium-risk scenarios, or deny access altogether when the risk is too high. 

Why it matters:

For websites with stringent security requirements, for example websites that store user’s financial or healthcare information, higher security controls are required. With authentication policies that automatically adjust access decisions based on defined risk signals, you can optimize for both security and user experience. 

Support passkeys in your website

Passkeys are a new, secure way to authenticate users. Some of the biggest companies in the world use passkeys to authenticate their users because it provides a faster and more secure user experience. 

Passkeys are based on the Web Authentication (WebAuthn) standard. With passkeys, users can login with their biometrics, such as their fingerprint or facial recognition, which are equipped on all modern devices including smartphones, tablets, laptops, and desktops. 

Why it matters:

Beyond Identity’s CMS integrations leverage passkeys for authentication. In addition to UX and security improvements, supporting passkeys can set your website apart from competitors with a modern, frictionless authentication flow. 

"I used the Beyond Identity Drupal integration to give my website administrators passwordless logins to our website. It took me less than an hour to set up with no code needed. My users are happy that they never have to remember or reset their passwords ever again. And my website is better protected because there’s no way for an attacker to steal a password to gain access."

-Chris Rocha, Developer

Read about Chris’ experience implementing the Beyond Identity Drupal integration

How to get started

To get started with the Beyond Identity CMS integrations, you need to:

  1. Sign up for a Beyond Identity account
  2. Download a OIDC plugin / module for your WordPress or Drupal website
  3. Configure your OIDC plugin with Beyond Identity
    1. WordPress integration guide
    2. Drupal integration guide

Let us know in our Slack if you need any help or have feedback! Our product and engineering teams are here to answer your questions.