Protecting user accounts with passwords only has never been a prime example of top security. While one could argue that there are certain sites that don’t store any personality information and where a simple username and password combination is secure enough, this is not necessarily true. Due to password recycling even these can be a potential stepping stone for hackery. As a result, two-factor authentication even in the case of WordPress is advisable. Using a tool like Telegram is an optimal choice for this. It is supremely secure, user-friendly, free and most importantly it has a bot solution that serves this purpose perfectly.

What is Two-Factor Authentication and why Telegram is a good medium enabling this?

When I decided on creating an addon plugin for the Two-Factor WordPress plugin, my main motivation besides security of course, was to use a tool that suits perfectly to be the medium of authentication. However, before I dig into the technical details, let’s just do a quick recoup into the world of Two-Factor, and of course Telegram.

The combination of a username and password for authentication is vulnerable from a couple of perspectives. First of all, we tend to choose simple, easy passwords due to our lousy memory. Secondly, there is a high risk of the so-called password recycling phenomenon, where we reuse a given password for more, or all of our accounts. Needless to say, this is extremely dangerous as our credentials can be stolen from seemingly insignificant accounts and used up in hacking our private emailing, for example. Due to this, an increased number of providers these days prefer multiple layers of authentication. Besides the username and password combination another factor is added. This can range from SMS messages to physical tokens or, in our case a cross-platform application can also be used.

Telegram is a good choice for two-factor authentication due to a number of reasons. It is free and does not push any advertisements. It provides end-to-end encryption for messages and respects the privacy of its users. What is more, and this is really important for us, it has a bot feature that can perform various tasks given to it. This latter feature gives access to firms for a multitude of options for handling a lot of their services. Authentication is one of these possibilities.

How does the Two-Factor work with Telegram?

The Two-Factor WordPress plugin contains all the features of this type of authentication, the functionality and the functions are all available in it. It can be used for email sending and also Google Authentication applications can be connected to it. My plugin is basically a new provider (class-lana-telegram-two-factor-provider.php) that links the Telegram bot authentication to the Two-Factor WordPress plugin. Let me show how this works in detail.

First, we need to create a Telegram bot.

botfather - screenshotbotfather - mobile screenshot

In a nutshell, we need to write the command /newbot to @BotFather (this is the bot of Telegram) and provide the data needed, in this case that is the name and description of the bot. Once the bot is generated, the bot token is also provided. The latter then can be used to connect to the API of Telegram. This token could be viewed as a “password” that can be used to handle our bot, in this example the @LanaCodesAuthBot. With this solution we can send messages to the users who are connected to our bot, by using the POST request sent to the Telegram API in the name of the bot.

Connect to the Telegram API with a getUpdates based solution

Description of the getUpdates method in the Telegram Bot API documentation:

Use this method to receive incoming updates using long polling.

This method will not work if an outgoing webhook is set up.

Let’s take an example:

  • The user sends the message /get_id to the bot
  • Our application, on a minute basis requests GET /getUpdates to the Telegram API and it spots that a message came from the user with the ID #101
  • The application then requests POST /sendMessage to the Telegram API, where we can set the content – send the text message ‘Your chat id for this bot: 101’ to the user #101

An application was needed that connects to the @LanaCodesAuthBot with the help of the token. I chose Python to create this. This application basically checks the messages of the users connected to the bot and it sends in the name of the bot via the Telegram API.

This is how the bot works:

How the getUpdates method works

How the getUpdates method works

 

Connect to the Telegram API with a webhook based solution

Description of the setWebhook method in the Telegram Bot API documentation:

Use this method to specify a url and receive incoming updates via an outgoing webhook. Whenever there is an update for the bot, we will send an HTTPS POST request to the specified url, containing a JSON-serialized Update.

You will not be able to receive updates using getUpdates for as long as an outgoing webhook is set up.

Let’s take an example:

  • We register our webhook using the request GET /setWebhook?url=https://lana.codes/wp-json/lana-telegram-two-factor/v1/webhook/ in the Telegram API.
  • The user sends the message /get_id to the bot
  • Our WordPress plugin receives a request POST /wp-json/lana-telegram-two-factor/v1/webhook/ from the Telegram API, which is handled by our WordPress plugin, and it spots that a message came from the user with the ID #101
  • The WordPress plugin then requests POST /sendMessage to the Telegram API, where we can set the content – send the text message ‘Your chat id for this bot: 101’ to the user #101

This is how the bot works:

How a webhook works

How a webhook works

The above is needed as we need to provide a chat ID in WordPress, otherwise the two-factor would send the code to all of the users who are connected to the bot. Obviously, the code needs to be sent only to the given user.

It can be made with both solutions, but as described in the documentation, only one can be used. The preferred solution is the webhook, because this way there are no unnecessary requests when nothing happens with the bot. And because of the user-friendly operation of the WordPress plugin, only the webhook solution is acceptable, so we don’t need another application, the plugin can do everything.

How does the Lana Two Factor with Telegram WordPress plugin work?

First, the @BotFather gives us the Bot Token. After this, by connecting to the bot we can claim the Chat ID. This authenticates the communication (the chat communication with the user) that needs to be provided in WordPress.

This is the layout of the settings in WordPress:

wp settings - screenshotwp settings - mobile screenshot

At the bottom it can be seen that we need to provide the Bot Token and the Bot Chat ID.

Once the settings are saved, the next login will prompt for an authentication in WordPress:

wp login verification - screenshotwp login verification - mobile screenshot

As the final step, we get the confirmation code from the bot via a Telegram message:

lana codes auth bot - screenshotlana codes auth bot - mobile screenshot

Let’s take a more detailed example:

  • The user logs in to the WordPress admin, and we know from the stored user settings that the Chat ID for the user is #101
  • The WordPress plugin then requests POST /sendMessage to the Telegram API, where we can set the content – send the text message ‘Your authentication code is: 31822652’ to the user #101

The Two-Factor WordPress plugin generates and verifies the authentication code.

This is how the plugin works:

This is how the Lana Telegram Two Factor WordPress plugin works