“Two Factor Authentication” (TFA) is a tried-and-tested way to secure your WordPress site from unwanted logins.
By default, WordPress is protected only by a password. Once somebody guesses your password, they have all access. “Two Factor” security is about adding a second factor. This plugin uses the most popular implementation of TFA: one-time codes that are shown on your phone/tablet/other device, but which do not require you to be connected to a network (i.e. you don’t need to be online/receiving SMSes, etc.).
Features:
Supports standard TOTP + HOTP protocols (and so supports Google Authenticator, Authy, and many others).
Displays graphical QR codes for easy scanning into apps on your phone/tablet
TFA can be made available on a per-role basis (e.g. available for admins, but not for subscribers)
TFA can be turned on or off by each user
TFA can be made compulsory for chosen user roles (e.g. for all admins and editors), after a configurable time period to allow them to set it up (e.g. after 7 days)
Supports front-end editing of settings – any layout you wish (using standard WordPress shortcodes)
Site owners can allow “trusted devices” on which TFA codes are only asked for a chosen number of days (instead of every login); e.g. 30 days
Includes native support for the built-in WordPress, WooCommerce, Theme My Login, Elementor, Affiliates-WP, CozmosLabs Profile Builder, Gravity Forms User Registration add-on, bbPress and WP Members login forms; also supports any login form at all via appending your TFA code to your password (e.g. works with login forms that don’t follow internal WP conventions)
Optional anti-bot protection on WooCommerce login forms, hiding the existence of the form unless JavaScript is active.
Does not mention or request second factor until the user has been identified as one with TFA enabled (i.e. nothing is shown to users who do not have it enabled)
Encrypt the TFA-generating secret keys using an on-disk encryption key, so that an attacker would need to break into both your WordPress database and your files in order to break TFA codes (as well as breaking a user’s password in order to use them).
WP Multisite compatible (plugin should be network activated)
Simplified user interface and code base for ease of use and performance
Emergency codes for when you lose your phone/tablet
Administrators can access other users’ codes, and turn them on/off when needed
Translatable – we have a website where you can easily add translations into your own language, if you wish
Alert users if someone appears to have found out their password, as indicated by successfully entering a password but repeatedly entering an incorrect TFA code.
All WordPress versions from 3.4 onwards, including the current release, are supported.
Short-codesThe following shortcodes are available:
twofactor_user_settings: This shortcode will display the whole user configuration. Use this to allow your users to get/set their TFA settings. Alternatively, to design the page yourself, you can use the individual shortcode, following:
twofactor_user_settings_enabled: Display the option to turn TFA on or off.
twofactor_user_qrcode: Display the user’s QR code for scanning.
twofactor_user_emergencycodes: Display the user’s emergency codes.
twofactor_user_advancedsettings: Display the user’s advanced settings (e.g. selecting TOTP or HOTP).
twofactor_user_privatekeys: Display the user’s private keys. Use the ‘type’ parameter, with values ‘full’ (default), ‘plain’, ‘base32’, or ‘base64’ to control exactly what is displayed.
twofactor_user_privatekeys_reset: Display a link for the user to reset (change) their private key.
twofactor_user_currentcode: Display the current TFA code.
twofactor_user_presstorefresh: Wrap this shortcode around any HTML that you want to cause the current TFA code (displayed by the twofactor_user_currentcode shortcode) to refresh when clicked.
twofactor_conditional: Wrap this shortcode around any content that you wish to be displayed only if the condition is met. The condition is specified by the “onlyif” parameter, with valid values: active, inactive, available, unavailable. The content will be shown depending on whether the user has TFA available (i.e. the administrator has allowed it for their user level)/activated. You can use this, for example, to display notices to your users to suggest that they activate TFA, or to remind them that it is available, etc.