Title here
Summary here
2FA
Passwords get stolen, leaked, and guessed. Two-factor authentication adds a second verification step that attackers can’t bypass even if they have your password. This module implements 2FA with multiple methods so users can choose what works best for them.
Use Cases
- Protect admin accounts from password-based attacks
- Meet compliance requirements for multi-factor authentication
- Allow users to choose between authenticator apps or email codes
- Provide backup codes for emergency access
How It Works
- Users enable 2FA from their profile page
- They choose a primary method: TOTP app or email codes
- During login, after entering password, they’re prompted for verification
- The module validates the code before completing login
- Backup codes provide emergency access if primary method unavailable
Authentication Methods
TOTP (Time-Based One-Time Password)
Works with authenticator apps like:
- Google Authenticator
- Authy
- 1Password
- Microsoft Authenticator
Users scan a QR code to set up, then enter 6-digit codes that refresh every 30 seconds.
Email Codes
For users who don’t want to install an app:
- 6-digit code sent to their registered email
- Valid for a limited time
- Simple and familiar
Backup Recovery Codes
Every user gets 10 single-use recovery codes during setup:
- Use when locked out of primary method
- Each code works only once
- Can regenerate codes from profile
Setting Up 2FA
Users configure 2FA from their WordPress profile:
- Go to Users → Profile (or click your name in admin bar)
- Scroll to Two-Factor Options
- Choose primary method (TOTP or Email)
- Complete setup (scan QR code or verify email)
- Save backup codes in a secure location
Trusted Devices
To reduce friction for regular logins:
- Users can mark devices as trusted for 30 days
- Trusted devices skip 2FA verification
- Logging in from a new device always requires 2FA
- Users can revoke trusted devices from their profile
Administrator Controls
Administrators can:
- Require 2FA for specific user roles
- Reset 2FA for locked-out users from the Users screen
- View which users have 2FA enabled
- Force users to set up 2FA on next login
Security Features
| Feature | Description |
|---|---|
| Rate Limiting | Blocks brute force attempts against verification codes |
| Encrypted Storage | TOTP secrets stored with AES-256-GCM encryption |
| Session Binding | Codes tied to specific login session |
| Audit Logging | 2FA events logged when Activity Log is enabled |
FAQ
What if I lose access to my authenticator app?
Use one of your backup recovery codes to log in. Each code works once. After logging in, you can reconfigure your authenticator app and generate new backup codes.Can I require 2FA only for administrators?
Yes. You can configure which roles must use 2FA. Other roles can optionally enable it from their profile.Does this conflict with OTP Login?
Yes, these modules serve similar purposes. Enable one or the other, not both. 2FA provides TOTP app support and is more feature-rich. OTP Login is simpler email/SMS verification after password entry.Is 2FA required immediately after enabling?
Users can choose to enable 2FA from their profile. To force 2FA, configure role-based enforcement in module settings.How do backup codes work?
Each user gets 10 single-use codes during setup. Store these somewhere safe. Each code can only be used once. You can regenerate codes from your profile, which invalidates old codes.Store backup codes in a password manager or secure location separate from your password. They’re your emergency access method if you lose your phone or email access.
PRO
Upgrade to Pro
Get access to all 166 modules with a single license