aaemnnosttv
commented
7 years ago Thanks!
The idea was always that it would be safe to use in production. I believe it is actually more secure than regular username & password authentication. I wrote about it on my website here.
TL;DR It's roughly the same as having a 30-40 character random password that will only work one time only within 15 minutes of creation. You also need CLI access to generate it, which should only be accessible with SSH key authentication (which may also require a password of its own to use), and if you have that level of access, you already have complete access to the website and database. The login handler part is enabled as a normal plugin, so you can always disable that when you're not using it to be extra safe about it, but I don't think it's really necessary.
So yeah; I think it's pretty secure :)
Of course, since it is open source, you're welcome to evaluate that for yourself and let me know if you find something you find to be less than good enough for production :)
ahmadawais
I like this package a lot. But the question is if it is safe in the production env?