There are no cookies set for normal users however one is set for 60 seconds if/when you successfully login with Keyy to enable a (not yet existing) SSO feature. Details of the cookie:
Cookie name: keyy_just_logged_in.
Cookie contents: the Keyy cryptographic token that was used to login.
Cookie expiry: after 60 seconds.
Cookie sent to any third parties: No.
If I administrate a site and want to allow users to login with Keyy, but do not allow them to use the WP dashboard, what can I do?
- For existing users, you can email them an invitation; see this FAQ: “I am a site owner – how can I mass-enroll all my users into Keyy?”
- And/or, you can give it to them on the front-end by using the shortcode keyy_connect (put it in square brackets as per normal for WP shortcodes). Then, logged-in users will be shown a QR code to scan to connect their WP account to Keyy. You can, of course, adorn it with whatever text and description you want to add (the shortcode itself will only show the QR code, giving you maximum flexibility).
- The manual way: tell them to log in and start using it!
- Or, the automated way: with Keyy Premium, go to the Keyy administration page in your WordPress dashboard, and to the “Users who are not yet connected to Keyy” section. Then choose your options, and press the “Send Emails” button. This will send the users an email telling them about Keyy, and with a code to scan.
If you have Keyy Premium, then you can also use the “Site-wide login policies” section to enforce the use of Keyy (i.e. forbid particular users from turning it off), or other policies.
Yes. The app has a button for logging in directly to any of your connected sites on the same device.
The idea behind Keyy is simple. Instead of passwords, you instead login to a website by proving your identity, by using your phone (or tablet). With your device, you scan a code on the screen. Behind the scenes, the phone then sends a secure cryptographic request to the website to log you in.
What this means in practice is that to use Keyy, you just need to do these things:
- Install the Keyy plugin on your WordPress website. To do this, go to your WordPress admin dashboard, and to the “Plugins” page, and the “Add New” link. There, you should either type in “Keyy” and press the button to search for it (if you are using the free version of Keyy), or use the “Upload” facility to upload the Premium version of Keyy, if you have bought it.
After doing this, go to the “Keyy” page in your WordPress admin dashboard. It is one of the items on your WordPress admin menu on the left, after you have installed and activated the plugin.
- Install the Keyy app on your phone. To do this, search for “Keyy” in the app store on your phone, or press on one of the buttons on the Keyy page in your website.
Apps are available for Android phones and tablets (Google Play Store) and Apple (i.e. iOS) phones and tablets (App Store).
The app will then set up an account for you.
- Scan the Keyy code with your Keyy app. In the Keyy app, scan the code shown on the “Keyy” page in your WordPress website. This will then connect your app to the website.
Then, when you next need to log in, you do exactly the same thing: you scan the code shown on the login page of your WordPress website.
That’s all! If you get stuck anywhere, please look at our other FAQs.
I wish you to delete all personal data which you hold upon me (GDPR “right to be forgotten” / “right to erasure”)
EU individual citizens have a right to erasure of their personal data, under the GDPR law. At Keyy, we are happy to extend this right to all users, world-wide, as we believe it is based upon good principles. You can read more about this legal right here, at the website of the UK Information Commissioner’s Office (the UK body which overseas data protection, including GDPR issues).
Data that we process
Firstly, you may want to familiarise yourself with how Keyy processes data, which you can read about here. If you have not got a getkeyy.com account then, as you can read there, we have no data that concerns you. You do not have an getkeyy.com account unless you created one (either manually, or by purchasing something). Please help us to invest as much resources as we can in improving our products by not asking us to delete data if we do not have any! To be clear: if you have no login at http://getkeyy.com/my-account/, then we do not have, and cannot process, any of your data, and thus have nothing to delete.
Data that we do not hold
Secondly – note that if you are using the free version of Keyy from https://wordpress.org/plugins/keyy/, or any other wordpress.org plugin, then any data relating to updates of that version (i.e. updates requests sent to wordpress.org, and the information which they store relating to such requests/updates), or support of that version in their forum, is held by wordpress.org – i.e. the WordPress Foundation. We have no more access to it than you do. If you wish it to be deleted, then you will need to contact the WordPress Foundation.
Limitations upon rights to delete data
There are other laws, except the GDPR, which touch upon the deletion of data. In particular, there is some data which we are legally required to maintain for a time. For example, VAT (sales tax) laws require us to keep purchase data for audit purposes for a minimum of 10 years after purchase. UK data retention laws require us to keep webserver access logs for 6 months – after which they are automatically deleted. The GDPR also allows anonymization, instead of deletion of data, in some circumstances. Anonymization means that there is no way to trace the data back to you. Specific information follows.
What data we will delete or anonymize/scramble
- All your support form entries will be deleted from our website’s database. (This also happens automatically after 6 months).
- All your support ticket entries in our account with our support helpdesk software supplier will be deleted.
- All your posts in our website support forum will be immediately deleted.
- If you are a customer, then your getkeyy.com account will be locked to prevent future logins. If you are not a customer, then it will be deleted. (See further below for the reason for the distinction).
- Any/all data in our licensing database tables concerning licences owned and sites connected will be deleted.
- Any/all data pertaining to you in our MailChimp account will be deleted.
Things that are not deleted, or which are deleted later, with reasons
- Webserver access logs are deleted automatically after 6 months, but not before, for compliance with UK data retention laws, and for auditing and security purposes.
- We do not delete information out of our website backups, because this is technically too difficult to accomplish. However, they are stored encrypted after a number of months (depending on our current policy). We also keep a log of deletion requests so as to be able to a) demonstrate compliance and b) re-run any deletion requests in the event of needing to restore a backup.
- Sales records and data held by payment vendors (PayPal, Stripe) are retained for a minimum of 10 years, to comply with taxation/auditing laws, and our own accountancy and auditing requirements.
To request deletion of your personal data, please use this form. If you are not a paying customer, then you can leave the relevant fields empty, and explain in the message input area. If you are an EU citizen, then we are granted one month to respond to the request (usually, one month to carry it out). We will take steps to verify your identity, to prevent fraud/abuse (“social engineering” attacks).
This page is intended to explain what data is accessed or processed during usage (both installation and ongoing usage) of the Keyy plugin, both free and Premium versions. In the general case this is “nothing – or, if using an explicit online service, then the minimum required to deliver that service” – but you can and should read the full details below. If you explicitly take other actions whose obvious nature is to sign up for something – e.g. sign up for a newsletter, or follow us on Twitter – then these may involve some data sharing. In such cases, the information will be available in the place where that action is taken. This page is intending to describe plugin usage only.
General note on logging of server requests
In the case of any HTTP requests sent to our servers (including not just explicit visits in your web browser, but API calls made by any software involved), under UK law these requests are logged and stored for 6 months. They are then automatically rotated. We do not process these logs for other purposes except as part of normal server operation (e.g. summarising statistics, or searching for information on particular server events, e.g. investigating unusual load or access patterns). They are never processed for any marketing purposes. Note that this information is assumed in all sections below where it applies and is not repeated.
Connecting for updates in paid versions
If you connect Keyy for receiving updates in your WordPress dashboard, then the information on which site has been connected to receive updates is stored in our database. It is used only via automated code to then send back information on update availability upon request from your site, and for other directly related tasks (e.g. providing information on upcoming licence expiry events). When an update request is sent, it includes your WordPress, PHP and UpdraftPlus version numbers, current language in WordPress, whether your install is a multisite install or not, and the PHP memory limit. Our plugin updates server is capable of using this information to decide what is an appropriate update for you. We reserve the right to summarise this data (i.e. anonymise and aggregate it) for the purpose of producing aggregated statistics on our user base, which we may use to guide our development.
Keyy may fetch a news feed from our blog and display headlines within the WP admin dashboard. This news feed is fetched from Feedburner, a service operated by Google. As a consequence, we do not receive (and therefore do not process) any data when this is done.
If a cart is abandoned after the contact has entered their email address but not completed the payment, we may contact them via email during a short period afterwards to remind them to complete the checkout, unless they opt-out. This is under the GDPR provision for marketing for legitimate interests, based on the expression of interest in purchasing.
Keyy does not fall under the requirements of article 37 of the GDPR, and as such, is not mandated to designate a single individual as the legally named data protection officer. (The GDPR does not intend this to imply, and this in no way implies, a lessening in our data protection responsibilities). If you have any data protection issues that you want to address with us, then please feel free to do so using any of our available support/contact channels.
We strongly recommend backing up your account immediately after you first set up. In Keyy’s security model, the “secret key” which logs into websites is only found on your device (i.e. your phone or tablet). We do not have a copy. As such, if you lose your device, then you lose access. Whilst the WordPress site owner can disable Keyy on the site to let you back in, it is much more convenient if you keep a backup in a secure location.
To do this, use the “Export” function from the menu in the Keyy app on your device. Export and keep your settings in a secure location. You can use this file again with the “Import” function if ever you need to set up Keyy again on another device.
There are a few different ways to do this.
1. Use the secret “login without Keyy” URL
If you are a site administrator, then when you connect to Keyy from your WordPress dashboard, you will be shown a URL for a login page on which Keyy is disabled. You should note this and keep it in a secure place for later use. If you use it, then it will provide a normal WordPress login form. On there, you can use your username/password in the ordinary way.
After it is used, the site administrator will be notified (by email), and a new URL will be created. i.e. Each link can only be used once.
2. Or, log in using an alternative administrative account
If you have some other way of logging into a website that uses Keyy, or know somebody else with their own admin access to WordPress, then you can disable the Keyy plugin in the WordPress dashboard’s “plugins” page. But of course, since Keyy is a login plugin, it’s usually the case that you cannot do this.
3. Or, de-activate the Keyy plugin
If you manage your website with a remote control product, then you may be able to use that remote control product to de-activate the Keyy plugin remotely.
Otherwise, the easiest way is to add the following line to your wp-config.php (e.g. edit it using FTP, or using the file manager in your web hosting control panel), after the opening line:
This line will disable all Keyy’s functionality, and you will then have your ‘normal’ WordPress login screen back. (So, if you also forgot your password, then use the regular password reset link).
On the Login page, you will see a Keyy scan code above the login input fields. Open the Keyy app on your mobile phone, and use the camera screen to scan this code, holding it there for a second or two and you’ll be logged in automatically.
How do I log into my site on my mobile device?
If you have Keyy set up and want to log into your WordPress website on your mobile device, you may have noticed you can’t scan the Keyy scan code.
To login on your mobile device without having to scan the Keyy scan code is easy just open the Keyy mobile app.
If your camera is on then press the camera icon in the top left corner to turn it off, this will reveal the option “Login on this device’s browser” select this option.
You will now be prompted to select the site and user you want to login as, after doing so a browser will automatically open on your mobile device and log you in!
You should see a list of cards, one for each site find the site you want to login to and tap the ” Same Device Login” button and you will be logged into a new browser window that opens up. Please do not close or click away from the page, it may take a few seconds to login depending on the network.
Exporting settings is easy, and is recommended as an important security precaution to take after you sign up to Keyy.
To export your settings, open the Keyy mobile app then press the “gear” icon in the top right to open the Keyy settings. Here you will see the option “Export key and settings”: press this option, and then select the option for exporting the data to the apps you have installed on your phone.
It is very important that you choose a service that is secure and you trust. To export the Keyy settings using the iCloud drive, simply select the option “Add To iCloud Drive”.
Note: in iOS 11 this has now been renamed from “iCloud Drive” to “Save to Files”
To export your settings, open the Keyy mobile app and then press the menu icon in the top left corner, in the list select the “Export key and settings” this will then bring up the options for exporting the data. Please ensure you export this data to a safe location!
- In your account page, here. This is the easiest way.
- In your email order receipt – search your emails for “Keyy”
- In your PayPal receipt, if you paid by PayPal – not the PayPal transaction ID, but further down… look for the words “Invoice ID:(some numbers)”
Failing that, we can usually find your order number from other information – just indicate that you don’t know it when filling in the support form.
Importing settings will differ depending on the service to which you originally exported your settings.
To import settings using iCloud Drive, open the iCloud Drive app and then open the file called “Keyy-export.json”. At the bottom of the screen in the left corner, press the “share” button. This will open the share menu, which will include the option “Import with Keyy”.Select this to open the Keyy mobile app and the rest will happen automatically.
Note: In iOS 11 the app is no longer called “iCloud Drive” it is now called “Files”. The new Files app will allow you to browse the contents of your phone or iCloud Drive.
They also changed the “Import with Keyy” option to “Copy to Keyy”.
Tap the menu icon on the top left of the screen. Next select the “Import security keys” option, this will show you a file selector where you can choose the file you previously exported. The app will then process this file for you and import your settings.
With Keyy, your device – your phone or tablet – is the “key” to get you into your website. Technically, what this means is that there is a digital key stored on your device. We don’t have it (*).
This means that if you want to use your Keyy account from more than one device, then you need to copy the (secret) key between the devices. Read below for how to do that. Or, if you lose the device entirely, then you need to have your account reset. The instructions for that are further down the page.
Using your Keyy account with more than one device
It cannot be automatically retrieved from our servers, because our servers do not have it. To do this, in the Keyy app on your first device, you need to use the “Export” option from the menu. Then, you can use whatever method you like to get the file to the second device (e.g. Bluetooth it, email it). Then on the second device, in the Keyy app, you should use the “Import” option from the menu to import it.
So, that is one reason why you may see this message – because you are wanting to use your Keyy account from more than one device. Another reason is that you want to start again. You wish to wipe your account clean. Or possibly, you have been forced to start again, because you lost your device and had not created a backup of your key before you lost it. In this case, you need your new device to create a new key, because there was no other copy. And, you need to remove the existing (non-secret) key from your account and the websites that you had linked to.
How to do this depends on whether you still have your device or not. If you do, then you should delete all your sites (this will then tell them to forget about the connection). Then you should go to your Keyy account at https://getkeyy.com/my-account/keyy-manage/ and press the “Remove Public Key” button (see also the note below on what to do if you have lost access to our website). Then. thirdly, you should use the “Wipe” option from the Keyy app’s menu on your device.
If you do not have the device, and have to set up Keyy on a new one, then, after entering your email address and being told that you already have a key registered, you should go to your Keyy account at https://getkeyy.com/my-account/keyy-manage/ and press the “Remove Public Key” button (see also the note below on what to do if you have lost access to our website). From the same screen, press the button to “Remove all sites”. Then you should chose the option in your Keyy app to wipe your account. Your sites themselves will not be aware that they have been disconnected from Keyy, because our website cannot tell them that (as explained above, we do not have the secret key which enables authoritative instructions to be given). You will need to ask the website administrator
If you cannot log in to your Keyy account
If you cannot log in to your account on the Keyy website (because of losing your device), then you can apply to re-establish your identity and re-gain access to your account using this form.
Footnote on Keyy’s cryptography: More accurately, a “key pair” – one half of which is secret, and the other is not. Your device creates it, and stores it, and keeps the secret half. We do not have it (Don’t worry if you know nothing about cryptography – but for those who do, here is the more technical explanation: you have an RSA key pair; the private key is stored on the device and is never transmitted from it). The websites that you log in to with Keyy, and our servers, have the non-secret half. Back to main text…
After you have purchased and installed Keyy Premium you need to connect it to your account in order to get the latest updates, and ensure that the site is known by your app to be a licensed Premium install.
To do this, go to the “Plugins” page in your WordPress dashboard. If the plugin is not yet activated, then activate it. When activated you should see the following box somewhere at the top of your page:
Just enter the email you used to purchase Keyy Premium, enter the licence key (shown on your account page) and optionally check the checkbox to get automatic updates, then press the “connect” button.
Your account will then be connected and you will receive the latest updates to Keyy Premium.
Firstly, install the Keyy plugin to your WordPress website. On your WordPress dashboard, you will see a “Keyy Login” link in the sidebar menu: click this to navigate to the Keyy Settings Page, where you will find a Keyy scan code.
Then install the mobile app on your mobile phone, following the onscreen Sign Up instructions- don’t forget to validate your email address! You’ll notice that the camera is on. Simply point the camera at the Keyy scan code displayed on the WordPress dashboard and registration will take place automatically.
Migrating your website means your new site URL doesn’t match the one registered with Keyy. To fix this, open the Keyy mobile app.
If your camera is on, press the camera icon in the top left corner to turn it off. This will reveal the option “Edit a registered site”: select this option.
You will now be prompted to select the site URL you want to edit, and you’ll see an input field with your site URL. Simply change the URL from the old to the new, and press the “Select” button in the top right hand corner. Keyy will automatically update its record and you’ll be able to login once again.
You should see a list of cards, one for each site, find the site which has your site’s old url and tap on the pencil symbol on the card. Type in the new url in the dialog and Keyy will handle the rest for you. You can also change the name of the site here if you wish.
If you lost your device or are changing devices, you will need to perform an import on the new device of your previously exported account settings to recover your connected sites and settings.
After performing an import, you will be able to carry on using Keyy like you did on your previous device.
If you had not previously backed up your account, then after installing Keyy on a new device and entering your email address, you will need to choose the option to reset your account, and possibly de-activate Keyy on affected websites in order to be able to log back in.
Yes, you can register as many users for the same website as you wish, within your site limit.
Keyy provides more security than a password as it removes the biggest weakness of a password: the user. Most users don’t follow the proper advice on creating strong passwords, which makes them vulnerable to brute forcing. What’s more, users often reuse the same password across multiple online accounts, meaning security breaches to a single account can result in far-reaching vulnerabilities. Also passwords do not change for long periods of time, but a Keyy scan is unique each time. Keyy removes the need for passwords entirely, making it much more secure.
The Keyy app is protected by a fingerprint scan or passcode, which stops anyone from accessing the keyy app on a stolen phone.
If this happens and you get locked out of your WordPress site there are a number of ways to get back in.
If there is another admin user on your website, then they can de-activate it in the ordinary way (i.e. from the WordPress dashboard’s “Plugins” page). If not, then read on!
The easiest way is to add this to your wp-config.php (e.g. edit it using FTP, or using the file manager in your web hosting control panel), after the opening line:
This line will disable all Keyy’s functionality, and you will then have your ‘normal’ WordPress login screen back. (So, if you also forgot your password, then use the regular password reset link).
Check the Spam folder in your email program to make sure the messages weren’t sent there by mistake- if they were, add getkeyy.com to your list of known senders.
If you are still having trouble, please contact Support for help, including your email address in the request.
We collect no personally identifiable information (PII) of any sort. The data we collect is limited to your Android/iOS version, log entries from the application, device name and Manufacturer for testing and quality purposes.
Keyy has an extra layer of security, using a passcode / fingerprint to prevent imposters from logging in. As soon as you realise your phone is missing or stolen, you should immediately disconnect your old private key and set a new one up, this can be done by sumbitting a request here.
The login process, which Keyy handles, is protected. But afterwards, if your site is not SSL, WordPress’s own login cookie can be stolen by an attacker in a successful MITM attack, bypassing any security that Keyy provides. Using SSL (https) is highly recommended, as it has other benefits as well such as SEO.
Yes, Keyy does work on rooted devices. However, it’s a lot less secure, as it’s possible to manually extract the KeyStore file that stores your private key.
No, Keyy requires WordPress to run in the backend for it to work. It cannot be used as a stand-alone product.
Software: We can consider refunds, at our discretion (i.e. no automatic right), based upon the particular circumstances of your case. In practice, we usually require that you have found a technical fault, and that we are given proper opportunity to verify sufficient information about any faults which you believe you have found (and that they are in Keyy, not something else), and to fix them within a reasonable time period. These must in all circumstances be requested within 10 days of purchase, which we believe is sufficient time to ascertain that a purchase works.
Legalese: There are no automatic refunds for digitally-deliverable/non-tangible goods. This is standard practice in these industries, because such goods cannot be returned (unlike physical goods). It is your responsibility to read the product descriptions, verify that it meets your needs (i.e. it provides a workable solution for you) and is suitable for your product environment (e.g. that your web hosting company does not fail to meet an essential requirement). Please do not treat a purchase as trial-ware – we don’t want to push increased costs onto our genuine customers. EU customers have the legal right to a refund of digital goods which they have not yet downloaded, if requested within 14 days, and such requests will also be honoured.
For separately-purchased support services (i.e. not those bundled with software), for which you purchase support for a specific issue, if your support need turns out to be caused by a Keyy defect, then we will refund you 100% of your purchase price for the support purchase.
No refunds are available for unused support purchases, or for any part of the price of a bundled software+support package (for refund purposes, those are treated as 100% software packages).
These restrictions do not affect your consumer rights. For example, if Keyy’s product description states that it has a feature which in fact it does not have, then you can invoke your consumer rights.
Finally, we reserve the right to, without notice or refund, terminate any ongoing services (including support agreements or update feeds) to customers who abuse our facilities or staff.