How does Clef accommodate WordPress logins for users who do not have smartphones?
Clef’s WordPress plugin accommodates non-smartphone users via its password settings page in your WordPress Dashboard. Which settings you select depends on the level of security you desire for your users.
1. Most secure: disable passwords for all users, enable override URL.
The disable passwords for all users and hide the password login form option completely disables password-based login for all users on your WordPress site.
If you enable this setting, we highly recommend bookmarking a secret override URL to allow password logins at a private URL. Doing so is useful both for avoiding lockout in cases of emergency (e.g., if you drop your phone in the ocean on a cruise) and for cases where you want to protect the majority of your users with full Clef protections while continuing to facilitate password-based logins for a small number of users who do not have smartphones.
2. More secure: disable passwords for high-privilege roles (recommended minimum setting for most cases).
We strongly recommend enabling at least one of the following options to protect your high-privilege WP roles (e.g., admin and super admin accounts):
- Disable passwords for Clef users
- Disable passwords for all users with privileges greater than or equal to administrator
Both of these settings will protect your high-privilege roles with Clef while allowing password logins for non-high-privilege accounts. You can then choose whether to show the Clef Wave or the default password form on your WordPress login page by adjusting the Show Clef wave as primary login option.
After enabling either one of these settings, we also highly recommend bookmarking a secret override URL to allow password logins for your admin account at a private URL in cases of emergency.
3. Least secure: allow passwords for all users (i.e., “hybrid mode”).
“Hybrid mode” means that all users may log in either with Clef or with passwords. Passwords are not disabled in hybrid mode; so, you and your users will receive fewer protections against password-based attacks, and you will enjoy these protections only when you choose to log in with your phones.
When your site is in hybrid mode you can choose whether to show the Clef Wave or the default password form on your WordPress login page by adjusting the Show Clef wave as primary login option.