When you configure the 2FA policies and make two-factor authentication (2FA) compulsory on your WordPress site, you also have the option to configure a grace period or to require the users to instantly configure 2FA.
Therefore, if you do not configure a grace period, users have to configure 2FA the next time they login to your WordPress website, as shown in the below screenshot.
What is the recommended grace period?
There is no ideal grace period. In fact high-security website do not even allow a grace period. They require users to configure 2FA as soon as they login to the website. So as a rule of thumb, the sooner you can get your users to use two-factor authentication the better it is for the security of your WordPress website and the site’s users.
What happens when a user does not configure 2FA within the grace period?
If the user does not configure two-factor authentication (2FA) within the grace period, the user account is locked and cannot login to the website. Only the website’s administrators can unlock the user again. Note that as a security precaution, user accounts cannot be unlocked automatically, even if the plugin’s settings are changed. They always have to be manually unlocked.
Read how to unlock locked WordPress users for more information on this subject.
How do you configure the grace period for 2FA?
The grace period can be configured in the Settings > Two-factor authentication menu entry in your WordPress dashboard.