There are no cookies set for normal users however one is set for 60 seconds if/when you successfully login with Keyy to enable a (not yet existing) SSO feature. Details of the cookie:
Cookie name: keyy_just_logged_in.
Cookie contents: the Keyy cryptographic token that was used to login.
Cookie expiry: after 60 seconds.
Cookie sent to any third parties: No.
If I administrate a site and want to allow users to login with Keyy, but do not allow them to use the WP dashboard, what can I do?
- For existing users, you can email them an invitation; see this FAQ: “I am a site owner – how can I mass-enroll all my users into Keyy?”
- And/or, you can give it to them on the front-end by using the shortcode keyy_connect (put it in square brackets as per normal for WP shortcodes). Then, logged-in users will be shown a QR code to scan to connect their WP account to Keyy. You can, of course, adorn it with whatever text and description you want to add (the shortcode itself will only show the QR code, giving you maximum flexibility).
- The manual way: tell them to log in and start using it!
- Or, the automated way: with Keyy Premium, go to the Keyy administration page in your WordPress dashboard, and to the “Users who are not yet connected to Keyy” section. Then choose your options, and press the “Send Emails” button. This will send the users an email telling them about Keyy, and with a code to scan.
If you have Keyy Premium, then you can also use the “Site-wide login policies” section to enforce the use of Keyy (i.e. forbid particular users from turning it off), or other policies.
Yes. The app has a button for logging in directly to any of your connected sites on the same device.
The idea behind Keyy is simple. Instead of passwords, you instead login to a website by proving your identity, by using your phone (or tablet). With your device, you scan a code on the screen. Behind the scenes, the phone then sends a secure cryptographic request to the website to log you in.
What this means in practice is that to use Keyy, you just need to do these things:
- Install the Keyy plugin on your WordPress website. To do this, go to your WordPress admin dashboard, and to the “Plugins” page, and the “Add New” link. There, you should either type in “Keyy” and press the button to search for it (if you are using the free version of Keyy), or use the “Upload” facility to upload the Premium version of Keyy, if you have bought it.
After doing this, go to the “Keyy” page in your WordPress admin dashboard. It is one of the items on your WordPress admin menu on the left, after you have installed and activated the plugin.
- Install the Keyy app on your phone. To do this, search for “Keyy” in the app store on your phone, or press on one of the buttons on the Keyy page in your website.
Apps are available for Android phones and tablets (Google Play Store) and Apple (i.e. iOS) phones and tablets (App Store).
The app will then set up an account for you.
- Scan the Keyy code with your Keyy app. In the Keyy app, scan the code shown on the “Keyy” page in your WordPress website. This will then connect your app to the website.
Then, when you next need to log in, you do exactly the same thing: you scan the code shown on the login page of your WordPress website.
That’s all! If you get stuck anywhere, please look at our other FAQs.
We offer a full upgrade discount up to 4 weeks after your original purchase. The new purchase will be discounted by the full cost of your original order.
To upgrade, simply purchase your new package for Keyy Premium, and use one of the coupon codes below to get a discount:
- If upgrading from the Personal package (to either the Plus or Ultimate package), use this coupon: frompersonal
- If upgrading from the Plus package to the Ultimate package, use this coupon: fromplus
We strongly recommend backing up your account immediately after you first set up. In Keyy’s security model, the “secret key” which logs into websites is only found on your device (i.e. your phone or tablet). We do not have a copy. As such, if you lose your device, then you lose access. Whilst the WordPress site owner can disable Keyy on the site to let you back in, it is much more convenient if you keep a backup in a secure location.
To do this, use the “Export” function from the menu in the Keyy app on your device. Export and keep your settings in a secure location. You can use this file again with the “Import” function if ever you need to set up Keyy again on another device.
There are a few different ways to do this.
1. Use the secret “login without Keyy” URL
If you are a site administrator, then when you connect to Keyy from your WordPress dashboard, you will be shown a URL for a login page on which Keyy is disabled. You should note this and keep it in a secure place for later use. If you use it, then it will provide a normal WordPress login form. On there, you can use your username/password in the ordinary way.
After it is used, the site administrator will be notified (by email), and a new URL will be created. i.e. Each link can only be used once.
2. Or, log in using an alternative administrative account
If you have some other way of logging into a website that uses Keyy, or know somebody else with their own admin access to WordPress, then you can disable the Keyy plugin in the WordPress dashboard’s “plugins” page. But of course, since Keyy is a login plugin, it’s usually the case that you cannot do this.
3. Or, de-activate the Keyy plugin
If you manage your website with a remote control product, then you may be able to use that remote control product to de-activate the Keyy plugin remotely.
Otherwise, the easiest way is to add the following line to your wp-config.php (e.g. edit it using FTP, or using the file manager in your web hosting control panel), after the opening line:
This line will disable all Keyy’s functionality, and you will then have your ‘normal’ WordPress login screen back. (So, if you also forgot your password, then use the regular password reset link).
On the Login page, you will see a Keyy scan code above the login input fields. Open the Keyy app on your mobile phone, and use the camera screen to scan this code, holding it there for a second or two and you’ll be logged in automatically.
How do I log into my site on my mobile device?
If you have Keyy set up and want to log into your WordPress website on your mobile device, you may have noticed you can’t scan the Keyy scan code.
To login on your mobile device without having to scan the Keyy scan code is easy just open the Keyy mobile app.
If your camera is on then press the camera icon in the top left corner to turn it off, this will reveal the option “Login on this device’s browser” select this option.
You will now be prompted to select the site and user you want to login as, after doing so a browser will automatically open on your mobile device and log you in!
You should see a list of cards, one for each site find the site you want to login to and tap the ” Same Device Login” button and you will be logged into a new browser window that opens up. Please do not close or click away from the page, it may take a few seconds to login depending on the network.
Exporting settings is easy, and is recommended as an important security precaution to take after you sign up to Keyy.
To export your settings, open the Keyy mobile app then press the “gear” icon in the top right to open the Keyy settings. Here you will see the option “Export key and settings”: press this option, and then select the option for exporting the data to the apps you have installed on your phone.
It is very important that you choose a service that is secure and you trust. To export the Keyy settings using the iCloud drive, simply select the option “Add To iCloud Drive”.
Note: in iOS 11 this has now been renamed from “iCloud Drive” to “Save to Files”
To export your settings, open the Keyy mobile app and then press the menu icon in the top left corner, in the list select the “Export key and settings” this will then bring up the options for exporting the data. Please ensure you export this data to a safe location!
- In your account page, here. This is the easiest way.
- In your email order receipt – search your emails for “Keyy”
- In your PayPal receipt, if you paid by PayPal – not the PayPal transaction ID, but further down… look for the words “Invoice ID:(some numbers)”
Failing that, we can usually find your order number from other information – just indicate that you don’t know it when filling in the support form.
Importing settings will differ depending on the service to which you originally exported your settings.
To import settings using iCloud Drive, open the iCloud Drive app and then open the file called “Keyy-export.json”. At the bottom of the screen in the left corner, press the “share” button. This will open the share menu, which will include the option “Import with Keyy”.Select this to open the Keyy mobile app and the rest will happen automatically.
Note: In iOS 11 the app is no longer called “iCloud Drive” it is now called “Files”. The new Files app will allow you to browse the contents of your phone or iCloud Drive.
They also changed the “Import with Keyy” option to “Copy to Keyy”.
Tap the menu icon on the top left of the screen. Next select the “Import security keys” option, this will show you a file selector where you can choose the file you previously exported. The app will then process this file for you and import your settings.
With Keyy, your device – your phone or tablet – is the “key” to get you into your website. Technically, what this means is that there is a digital key stored on your device. We don’t have it (*).
This means that if you want to use your Keyy account from more than one device, then you need to copy the (secret) key between the devices. Read below for how to do that. Or, if you lose the device entirely, then you need to have your account reset. The instructions for that are further down the page.
Using your Keyy account with more than one device
It cannot be automatically retrieved from our servers, because our servers do not have it. To do this, in the Keyy app on your first device, you need to use the “Export” option from the menu. Then, you can use whatever method you like to get the file to the second device (e.g. Bluetooth it, email it). Then on the second device, in the Keyy app, you should use the “Import” option from the menu to import it.
So, that is one reason why you may see this message – because you are wanting to use your Keyy account from more than one device. Another reason is that you want to start again. You wish to wipe your account clean. Or possibly, you have been forced to start again, because you lost your device and had not created a backup of your key before you lost it. In this case, you need your new device to create a new key, because there was no other copy. And, you need to remove the existing (non-secret) key from your account and the websites that you had linked to.
How to do this depends on whether you still have your device or not. If you do, then you should delete all your sites (this will then tell them to forget about the connection). Then you should go to your Keyy account at https://getkeyy.com/my-account/keyy-manage/ and press the “Remove Public Key” button (see also the note below on what to do if you have lost access to our website). Then. thirdly, you should use the “Wipe” option from the Keyy app’s menu on your device.
If you do not have the device, and have to set up Keyy on a new one, then, after entering your email address and being told that you already have a key registered, you should go to your Keyy account at https://getkeyy.com/my-account/keyy-manage/ and press the “Remove Public Key” button (see also the note below on what to do if you have lost access to our website). From the same screen, press the button to “Remove all sites”. Then you should chose the option in your Keyy app to wipe your account. Your sites themselves will not be aware that they have been disconnected from Keyy, because our website cannot tell them that (as explained above, we do not have the secret key which enables authoritative instructions to be given). You will need to ask the website administrator
If you cannot log in to your Keyy account
If you cannot log in to your account on the Keyy website (because of losing your device), then you can apply to re-establish your identity and re-gain access to your account using this form.
Footnote on Keyy’s cryptography: More accurately, a “key pair” – one half of which is secret, and the other is not. Your device creates it, and stores it, and keeps the secret half. We do not have it (Don’t worry if you know nothing about cryptography – but for those who do, here is the more technical explanation: you have an RSA key pair; the private key is stored on the device and is never transmitted from it). The websites that you log in to with Keyy, and our servers, have the non-secret half. Back to main text…
After you have purchased and installed Keyy Premium you need to connect it to your account in order to get the latest updates, and ensure that the site is known by your app to be a licensed Premium install.
To do this, go to the “Plugins” page in your WordPress dashboard. If the plugin is not yet activated, then activate it. When activated you should see the following box somewhere at the top of your page:
Just enter the email you used to purchase Keyy Premium, enter the licence key (shown on your account page) and optionally check the checkbox to get automatic updates, then press the “connect” button.
Your account will then be connected and you will receive the latest updates to Keyy Premium.
Firstly, install the Keyy plugin to your WordPress website. On your WordPress dashboard, you will see a “Keyy Login” link in the sidebar menu: click this to navigate to the Keyy Settings Page, where you will find a Keyy scan code.
Then install the mobile app on your mobile phone, following the onscreen Sign Up instructions- don’t forget to validate your email address! You’ll notice that the camera is on. Simply point the camera at the Keyy scan code displayed on the WordPress dashboard and registration will take place automatically.
Migrating your website means your new site URL doesn’t match the one registered with Keyy. To fix this, open the Keyy mobile app.
If your camera is on, press the camera icon in the top left corner to turn it off. This will reveal the option “Edit a registered site”: select this option.
You will now be prompted to select the site URL you want to edit, and you’ll see an input field with your site URL. Simply change the URL from the old to the new, and press the “Select” button in the top right hand corner. Keyy will automatically update its record and you’ll be able to login once again.
You should see a list of cards, one for each site, find the site which has your site’s old url and tap on the pencil symbol on the card. Type in the new url in the dialog and Keyy will handle the rest for you. You can also change the name of the site here if you wish.
If you lost your device or are changing devices, you will need to perform an import on the new device of your previously exported account settings to recover your connected sites and settings.
After performing an import, you will be able to carry on using Keyy like you did on your previous device.
If you had not previously backed up your account, then after installing Keyy on a new device and entering your email address, you will need to choose the option to reset your account, and possibly de-activate Keyy on affected websites in order to be able to log back in.
Yes, you can register as many users for the same website as you wish, within your site limit.
Keyy provides more security than a password as it removes the biggest weakness of a password: the user. Most users don’t follow the proper advice on creating strong passwords, which makes them vulnerable to brute forcing. What’s more, users often reuse the same password across multiple online accounts, meaning security breaches to a single account can result in far-reaching vulnerabilities. Also passwords do not change for long periods of time, but a Keyy scan is unique each time. Keyy removes the need for passwords entirely, making it much more secure.
The Keyy app is protected by a fingerprint scan or passcode, which stops anyone from accessing the keyy app on a stolen phone.
If this happens and you get locked out of your WordPress site there are a number of ways to get back in.
If there is another admin user on your website, then they can de-activate it in the ordinary way (i.e. from the WordPress dashboard’s “Plugins” page). If not, then read on!
The easiest way is to add this to your wp-config.php (e.g. edit it using FTP, or using the file manager in your web hosting control panel), after the opening line:
This line will disable all Keyy’s functionality, and you will then have your ‘normal’ WordPress login screen back. (So, if you also forgot your password, then use the regular password reset link).
Check the Spam folder in your email program to make sure the messages weren’t sent there by mistake- if they were, add getkeyy.com to your list of known senders.
If you are still having trouble, please contact Support for help, including your email address in the request.
We collect no personally identifiable information (PII) of any sort. The data we collect is limited to your Android/iOS version, log entries from the application, device name and Manufacturer for testing and quality purposes.
Keyy has an extra layer of security, using a passcode / fingerprint to prevent imposters from logging in. As soon as you realise your phone is missing or stolen, you should immediately disconnect your old private key and set a new one up, this can be done by sumbitting a request here.
The login process, which Keyy handles, is protected. But afterwards, if your site is not SSL, WordPress’s own login cookie can be stolen by an attacker in a successful MITM attack, bypassing any security that Keyy provides. Using SSL (https) is highly recommended, as it has other benefits as well such as SEO.
Yes, Keyy does work on rooted devices. However, it’s a lot less secure, as it’s possible to manually extract the KeyStore file that stores your private key.
No, Keyy requires WordPress to run in the backend for it to work. It cannot be used as a stand-alone product.
Software: We can consider refunds, at our discretion (i.e. no automatic right), based upon the particular circumstances of your case. In practice, we usually require that you have found a technical fault, and that we are given proper opportunity to verify sufficient information about any faults which you believe you have found (and that they are in Keyy, not something else), and to fix them within a reasonable time period. These must in all circumstances be requested within 10 days of purchase, which we believe is sufficient time to ascertain that a purchase works.
Legalese: There are no automatic refunds for digitally-deliverable/non-tangible goods. This is standard practice in these industries, because such goods cannot be returned (unlike physical goods). It is your responsibility to read the product descriptions, verify that it meets your needs (i.e. it provides a workable solution for you) and is suitable for your product environment (e.g. that your web hosting company does not fail to meet an essential requirement). Please do not treat a purchase as trial-ware – we don’t want to push increased costs onto our genuine customers. EU customers have the legal right to a refund of digital goods which they have not yet downloaded, if requested within 14 days, and such requests will also be honoured.
For separately-purchased support services (i.e. not those bundled with software), for which you purchase support for a specific issue, if your support need turns out to be caused by a Keyy defect, then we will refund you 100% of your purchase price for the support purchase.
No refunds are available for unused support purchases, or for any part of the price of a bundled software+support package (for refund purposes, those are treated as 100% software packages).
These restrictions do not affect your consumer rights. For example, if Keyy’s product description states that it has a feature which in fact it does not have, then you can invoke your consumer rights.
Finally, we reserve the right to, without notice or refund, terminate any ongoing services (including support agreements or update feeds) to customers who abuse our facilities or staff.