Switchboard DOCS
Docs
Get Started Get Lifetime Deal

Email/SMS Verification (OTP)

OTP Login adds a verification code step after users enter their password. They receive a 6-digit code via email or SMS, enter it, and then complete login. No authenticator app required — just the familiar experience users know from banking and other services.

Use Cases

  • Add two-step verification without requiring apps
  • Use familiar code-based verification users understand
  • Deliver codes via email (built-in) or SMS (Twilio)
  • Protect high-value accounts with minimal friction

How It Works

  1. User enters username and password
  2. Credentials are verified (correct password required)
  3. Module sends 6-digit code via email or SMS
  4. User enters code on verification screen
  5. Correct code completes login
  6. Code expires after configured time

Difference from 2FA

FeatureOTP Login2FA Module
TOTP App SupportNoYes
Email CodesYesYes
SMS CodesYes (Twilio)No
Backup CodesNoYes
Setup RequiredNoneUser setup
Best ForSimple verificationFull 2FA features

These modules conflict — enable one or the other, not both. OTP Login is simpler; 2FA is more comprehensive.

Settings

SettingTypeDefaultDescription
Code ExpiryNumber10Minutes until codes expire
Delivery MethodSelectEmailEmail or SMS (requires Twilio)
Required RolesMulti-selectAllWhich roles require OTP verification
Max AttemptsNumber5Failed code attempts before lockout

Email Delivery

Email codes use WordPress’s built-in mail function:

  • Works out of the box with no configuration
  • Delivery depends on your email setup (SMTP recommended)
  • Customize email template in module settings

SMS Delivery (Twilio)

For SMS delivery, configure Twilio integration:

  1. Create a Twilio account
  2. Get a phone number with SMS capability
  3. Copy Account SID, Auth Token, and Phone Number
  4. Enter credentials in module settings
  5. Users must have phone numbers in their profiles

SMS delivery costs money through Twilio. Email delivery is free. Consider SMS only for high-security requirements.

Security Features

FeatureDescription
Rate LimitingMax 5 verification attempts per session
IP-Based LimitsMax 10 verification attempts per IP per hour
Encrypted CodesCodes encrypted with AES-256-GCM
Short ExpiryCodes expire quickly (default 10 minutes)
One-Time UseEach code works only once
Audit TrailAttempts logged when Activity Log is enabled

Role-Based Verification

Choose which roles require OTP verification:

  • Require for administrators and editors only
  • Skip for subscribers to reduce friction
  • Apply to all roles for maximum security

Users in non-required roles log in with just their password.

CAPTCHA Integration

OTP Login integrates with Switchboard CAPTCHA modules to protect the verification form from brute force:

  • Cloudflare Turnstile
  • Google reCAPTCHA
  • Simple CAPTCHA

Enable “Protect OTP Login” in your CAPTCHA module settings.

FAQ

What if a user doesn’t receive the code?They can request a new code. Check spam folders for email delivery. For SMS, verify the phone number in their profile is correct and Twilio is configured properly.
Can users bypass OTP verification?No. Once enabled for a role, users in that role must complete verification. There’s no “remember this device” feature in OTP Login — that’s available in the full 2FA module.
Does this work with Magic Login?Magic Login provides passwordless access, while OTP Login requires a password first. They serve different purposes and can coexist, but using both on the same login flow would be redundant.
What happens after too many failed attempts?After 5 failed attempts, the session is locked. The user must start the login process over. IP-based limits prevent attackers from trying repeatedly with new sessions.
Is SMS delivery secure?SMS has known vulnerabilities (SIM swapping, interception). For highest security, use the full 2FA module with TOTP apps. SMS OTP is still much better than password-only login.

Ensure your email deliverability is reliable before enabling OTP Login. If users can’t receive codes, they can’t log in. Consider using an SMTP plugin for reliable email delivery.

PRO

Get access to all 166 modules with a single license

Upgrade to Pro
Prev
Change Post Type
Next
Force SSL Admin