Two Factor Authentication

Two Factor Authentication (TFA) is a tried-and-tested way to secure your WordPress site from unwanted logins.

By default, WordPress is protected only by a password. Once somebody guesses your password, they have all access. “Two Factor” security is about adding a second factor. This plugin uses the most popular implementation of TFA: one-time codes that are shown on your phone/tablet/other device, but which do not require you to be connected to a network (i.e. you don’t need to be online/receiving SMSes, etc.).

Features:

  • Supports standard TOTP + HOTP protocols (and so supports Google Authenticator, Authy, and many others).
  • Displays graphical QR codes for easy scanning into apps on your phone/tablet
  • TFA can be made available on a per-role basis (e.g. available for admins, but not for subscribers)
  • TFA can be turned on or off by each user
  • Supports front-end editing of settings – any layout you wish (using standard WordPress shortcodes)
  • Includes support for the WooCommerce login form
  • Does not mention or request second factor until the user has been identified as one with TFA enabled (i.e. nothing is shown to users who do not have it enabled)
  • WP Multisite compatible (plugin should be network activated)
  • Simplified user interface and code base for ease of use and performance
  • Emergency codes for when you lose your phone/tablet
  • Administrators can access other users’ codes, and turn them on/off when needed
  • Translatable – we have a website where you can easily add translations into your own language, if you wish

All WordPress versions from 3.2 onwards, including the current release, are supported.

Screenshots

The user is asked for their one-time password, after successfully entering their username and password on the WP login form:

User being asked to enter their one-time code (after successfully entering their username/password)

This is what the user sees if they enter their pass-code wrongly:

What the user sees if they enter their one-time code incorrectly

The user is asked for their one-time password, after successfully entering their username and password on the WooCommerce login form:

The user being asked to enter their one-time login code on a WooCommerce login form

This is what the user sees if they enter their pass-code wrongly:

What the user sees if they enter their two-factor code wrongly on a WooCommerce login form

This screen is of the user editing their two-factor settings in the WP dashboard:

User settings (in the WP admin area)

The user’s settings can also be made available to edit on the front-end, via a shortcode:

User settings (in the front-end)

Site-wide settings for the plugin:

Site-wide settings

Emergency codes:

screenshot-10

Adjusting other users’ TFA codes as an administrator:

screenshot-11

Designing your own page for users, using shortcodes:

Designing your own page for users, using shortcodes

Short-codes

The following short-codes are available:

twofactor_user_settings : This short-code will display the whole user configuration. Use this to allow your users to get/set their TFA settings. Alternatively, to design the page yourself, you can use the individual short-codes, following:

twofactor_user_settings_enabled : Display the option to turn TFA on or off.

twofactor_user_qrcode : Display the user’s QR code for scanning.

twofactor_user_emergencycodes : Display the user’s emergency codes.

twofactor_user_advancedsettings : Display the user’s advanced settings (e.g. selecting TOTP or HOTP).

twofactor_user_privatekeys : Display the user’s private keys. Use the ‘type’ parameter, with values ‘full’ (default), ‘plain’, ‘base32′ or ‘base64′ to control exactly what is displayed.

twofactor_user_privatekeys_reset : Display a link for the user to reset (change) their private key.

twofactor_user_currentcode : Display the current TFA code.

twofactor_user_presstorefresh : Wrap this shortcode around any HTML that you want to cause the current TFA code (displayed by the twofactor_user_currentcode shortcode) to refresh when clicked.

twofactor_conditional : Wrap this shortcode around any content that you wish to be displayed only if the condition is met. The condition is specified by the “onlyif” parameter, with valid values: activate, inactive, available, unavailable. The content will be shown depending on whether the user has TFA available (i.e. the administrator has allowed it for their user level)/activated. You can use this, for example, to display notices to your users to suggest that they activate TFA, or to remind them that it is available, etc.

Reviews

You must log in to submit a review.