WP-Safety

Keyless Auth – Login without Passwords Security & Risk Analysis

wordpress.org/plugins/keyless-auth

Secure, passwordless authentication for WordPress. Your users login via magic email links – no passwords to remember or forget.

30 active installs v3.2.4 PHP + WP 3.9+ Updated Nov 24, 2025
2faauthenticationpasswordlesssecure-loginsmtp
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Keyless Auth – Login without Passwords Safe to Use in 2026?

Generally Safe

Score 100/100

Keyless Auth – Login without Passwords has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 4mo ago
Risk Assessment

The "keyless-auth" plugin version 3.2.4 demonstrates a strong security posture with several good practices. All identified entry points, including AJAX handlers, REST API routes, shortcodes, and cron events, appear to have authentication checks in place, which is a significant strength. Furthermore, the plugin exhibits excellent output escaping practices and avoids dangerous functions, file operations, and external HTTP requests. The use of prepared statements for SQL queries is also a positive indicator, although room for improvement exists given the percentage. The vulnerability history is clean, with no known CVEs, which suggests a history of secure development or prompt patching.

However, the taint analysis reveals some concerns. The presence of 9 flows with unsanitized paths, even if not classified as critical, warrants attention. These flows represent potential injection vulnerabilities where untrusted data could be manipulated. While the plugin has a substantial number of nonce checks and capability checks, the taint analysis suggests that some of these might not be effectively preventing the identified unsanitized paths. The relatively high percentage of SQL queries not using prepared statements also presents a moderate risk of SQL injection, especially if those queries handle user-supplied data.

In conclusion, "keyless-auth" v3.2.4 is a generally well-secured plugin with robust authentication and output sanitization. The lack of historical vulnerabilities is encouraging. The primary areas for improvement lie in addressing the identified unsanitized paths from the taint analysis and increasing the utilization of prepared statements for all SQL queries to further harden the plugin against potential injection attacks.

Key Concerns

  • Unsanitized paths in taint analysis (High severity)
  • SQL queries not using prepared statements (64% prepared)
Vulnerabilities
None known

Keyless Auth – Login without Passwords Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Keyless Auth – Login without Passwords Code Analysis

Dangerous Functions
0
Raw SQL Queries
18
32 prepared
Unescaped Output
18
463 escaped
Nonce Checks
21
Capability Checks
15
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

64% prepared50 total queries

Output Escaping

96% escaped481 total outputs
Data Flows
9 unsanitized

Data Flow Analysis

14 flows9 with unsanitized paths
render_login_form (includes\Core\Core.php:92)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Keyless Auth – Login without Passwords Attack Surface

Entry Points12
Unprotected0

AJAX Handlers 8

authwp_ajax_chrmrtns_kla_admin_disable_2faincludes\Admin\Ajax\TwoFAAjaxHandler.php:22
noprivwp_ajax_chrmrtns_kla_request_login_codeincludes\Core\Core.php:29
authwp_ajax_chrmrtns_kla_request_login_codeincludes\Core\Core.php:30
noprivwp_ajax_chrmrtns_kla_wc_request_magic_linkincludes\Core\WooCommerce.php:39
authwp_ajax_chrmrtns_kla_wc_request_magic_linkincludes\Core\WooCommerce.php:40
authwp_ajax_chrmrtns_2fa_setupincludes\Security\TwoFA\Frontend.php:52
authwp_ajax_chrmrtns_2fa_disableincludes\Security\TwoFA\Frontend.php:53
authwp_ajax_chrmrtns_2fa_generate_backup_codesincludes\Security\TwoFA\Frontend.php:54

Shortcodes 4

[keyless-auth] includes\Core\Core.php:33
[keyless-auth-full] includes\Core\Core.php:34
[keyless-auth-password-reset] includes\Core\PasswordReset.php:31
[keyless-auth-2fa] includes\Security\TwoFA\Frontend.php:51
WordPress Hooks 51
actionadmin_initincludes\Admin\Admin.php:57
actionadmin_noticesincludes\Admin\Admin.php:58
actionadmin_enqueue_scriptsincludes\Admin\Assets\AssetLoader.php:22
actionadmin_menuincludes\Admin\MenuManager.php:50
actionadmin_enqueue_scriptsincludes\Admin\Pages\HelpPage.php:22
actionadmin_initincludes\Admin\Settings\SettingsManager.php:22
actionwp_loadedincludes\Core\Core.php:31
actioninitincludes\Core\Core.php:32
actionlogin_footerincludes\Core\Core.php:43
actionlogin_initincludes\Core\Core.php:44
actionlogin_enqueue_scriptsincludes\Core\Core.php:45
actioninitincludes\Core\Core.php:49
actionwp_login_failedincludes\Core\Core.php:52
filterxmlrpc_enabledincludes\Core\Core.php:56
filterwp_is_application_passwords_availableincludes\Core\Core.php:61
actioninitincludes\Core\Core.php:66
filterrest_endpointsincludes\Core\Core.php:960
actionparse_requestincludes\Core\Core.php:963
actiontemplate_redirectincludes\Core\Core.php:966
filterlogin_errorsincludes\Core\Core.php:969
filtercomment_classincludes\Core\Core.php:972
filteroembed_response_dataincludes\Core\Core.php:975
actioninitincludes\Core\Database.php:32
actionplugins_loadedincludes\Core\Main.php:45
actionplugins_loadedincludes\Core\Main.php:46
actionadmin_noticesincludes\Core\Notices.php:34
actionadmin_initincludes\Core\Notices.php:35
actionwoocommerce_login_formincludes\Core\WooCommerce.php:30
actionwoocommerce_login_form_startincludes\Core\WooCommerce.php:33
actionwp_enqueue_scriptsincludes\Core\WooCommerce.php:36
actioninitincludes\Email\MailLogger.php:30
actionadmin_initincludes\Email\MailLogger.php:33
actionphpmailer_initincludes\Email\MailLogger.php:36
actionwp_mail_failedincludes\Email\MailLogger.php:39
actionphpmailer_initincludes\Email\MailLogger.php:272
actionwp_mail_failedincludes\Email\MailLogger.php:273
actionshutdownincludes\Email\MailLogger.php:847
actionadmin_initincludes\Email\SMTP.php:24
actionphpmailer_initincludes\Email\SMTP.php:25
actiontemplate_redirectincludes\Security\TwoFA\Core.php:103
actionadmin_noticesincludes\Security\TwoFA\Core.php:106
filterauthenticateincludes\Security\TwoFA\Core.php:109
actionwp_loginincludes\Security\TwoFA\Core.php:110
actionwp_loginincludes\Security\TwoFA\Core.php:111
actionadmin_initincludes\Security\TwoFA\Core.php:112
actionlogin_formincludes\Security\TwoFA\Core.php:113
actioninitincludes\Security\TwoFA\Core.php:116
actionchrmrtns_kla_2fa_reminder_emailsincludes\Security\TwoFA\Core.php:117
actionupdate_option_chrmrtns_kla_2fa_enabledincludes\Security\TwoFA\Core.php:120
actionupdate_option_chrmrtns_kla_2fa_required_rolesincludes\Security\TwoFA\Core.php:121
actionset_user_roleincludes\Security\TwoFA\Core.php:122

Scheduled Events 1

chrmrtns_kla_2fa_reminder_emails
Maintenance & Trust

Keyless Auth – Login without Passwords Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedNov 24, 2025
PHP min version
Downloads1K

Community Trust

Rating0/100
Number of ratings0
Active installs30
Alternatives

Keyless Auth – Login without Passwords Alternatives

AV 2FA

AV 2FA

av-2fa

A
100

A simple and secure Two-Factor Authentication plugin that sends a verification code to your email.

0 No CVEs
Dolutech Passwordless Login

Dolutech Passwordless Login

dolutech-passwordless-login

A
100

Permite login seguro sem senha com tecnologia passwordless e autenticação de dois fatores (2FA) via TOTP.

0 No CVEs
ElIoT Pro Passwordless Login

ElIoT Pro Passwordless Login

eliot-pro

A
85

ElIoT Pro eliminates passwords using one-time tokens delivered via ultrasounds.

0 No CVEs
Password Less Login

Password Less Login

password-less-login

A
100

A powerful and easy-to-use WordPress plugin for passwordless and OTP-based login.

0 No CVEs
Temporary Login Without Password

Temporary Login Without Password

temporary-login-without-password

A
100

Create self-expiring, temporary admin accounts. Easily share direct login links (no need for username/password) with your developers or editors.

100K 1 CVE
Developer Profile

Keyless Auth – Login without Passwords Developer Profile

Chris Martens

3 plugins · 50 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Keyless Auth – Login without Passwords

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/keyless-auth/assets/css/style-back-end.css/wp-content/plugins/keyless-auth/assets/css/admin-style.css
Version Parameters
keyless-auth/assets/css/style-back-end.css?ver=keyless-auth/assets/css/admin-style.css?ver=

HTML / DOM Fingerprints

CSS Classes
chrmrtns-kla-settings-section
Data Attributes
data-plugin-name="keyless-auth"
JS Globals
window.ChrmrtnsKeylessAuthAdmin
FAQ

Frequently Asked Questions about Keyless Auth – Login without Passwords