WP 2FA offers many configuration and customization options, giving you complete control and freedom over how you implement 2FA on your WordPress website. In this guide, we will go through all of the available features in the plugin - helping you familiarize yourself with the available options to make sure your 2FA implementation is a resounding success.
Two-factor authentication methods refer to the methods users will use to authenticate themselves after successfully authenticating themselves using their WordPress username and the corresponding password.
WP 2FA offers several 2FA methods, including Authy, allowing administrators to pick and choose the one or ones they are comfortable with. WP 2FA also gives you the option to provide users with multiple 2FA methods, allowing them to choose the one that best suits their needs and requirements.
One-time code via 2FA App
This 2FA method allows users to configure 2FA by using one of the supported 2FA apps. During the initial 2FA setup process, users synchronize their WordPress 2FA through a QR code or a verification code provided through WP 2FA. Once the code is entered into the app, the app will start generating one-time passwords, which the users must then use to log in to WordPress.
You can easily configure WordPress 2FA with your preferred 2FA app that’s TOTP compliant, giving you a wide selection of apps to choose from.
Link via email (Out-of-band email)
This 2FA method uses OOB authentication to send a link to the user’s email. There are no codes to enter when using this method - instead, users just need to click on a link provided by the plugin. The email sent is fully configurable. Kindly refer to the emails feature section to learn more. Administrators can specify for how long the link will remain valid.
Code via email (HOTP)
This 2FA method sends a one-time passcode via email, which the user must retrieve and enter into the 2FA prompt on the WordPress website. Administrators can specify for how long the OTP will remain valid.
This method can also be configured as a backup method, ensuring users can still log in should their phone run out of battery or get misplaced.
This 2FA method sends the user an OTP via an SMS notification sent to their phone. The advantage of using this method is that no apps need to be installed on users’ phones.
This 2FA method sends the user an OTP via a WhatsApp message.
This 2FA method calls the user on their phone and verbally with an automated OTP voice message.
This 2FA method uses what is called app-based cordless 2FA. Instead of using a code, the user accepts a push notification sent to their phone, with no code input required during the process.
Backup codes (backup method)
Backup codes are a secondary 2FA method to be used when the configured primary 2FA method is unavailable, such as a phone with a dead battery. Users get a list of OTPs (One-Time Passwords), each of which can only be used once. As such, backup codes are strictly for emergency use only.
Other 2FA backup
Aside from backup codes, WP 2FA also offers the possibility to set up email codes or links as a backup method. When enabled, 2FA users will be able to select the configured backup method from the login screen, minimizing downtime should the primary 2FA method be unavailable, such as a lost phone.
When users are required to set up 2FA for the first time, they might not have the time to configure 2FA at their next log-in. Perhaps they need to log in to fix something quickly, or an important deadline is looming, and every second counts. To make sure 2FA does not get in the way of users doing their job, with WP 2FA you can configure an optional grace period, which can be set through policies, during which users can set up 2FA at their convenience - as long as it is before the grace period ends.
If a user fails to configure 2FA within the grace period, they will need to configure 2FA on the next login or their account will automatically be locked out - depending on how the administrator configures it. Once an account is locked, an administrator with the appropriate privileges must unlock the account manually.
2FA enforcement & policies
When setting up 2FA, you can configure 2FA policies to choose which user accounts and roles, if any, must configure and use 2FA through enforcement. Users on whom 2FA is not enforced via a policy can still configure and use it; however, it becomes optional. Equally, you can use policies to exclude users or roles. Excluded users/roles cannot set up 2FA.
WP 2FA includes several options that offer granularity in how 2FA is enforced.
As the name suggests, configured 2FA policies will apply to all WordPress users. You can make certain exclusions by excluding users and/or roles from inheriting the policy.
Only for specific users and or user roles
When choosing this option, 2FA will only be enforced on the users and roles that you explicitly specify in the applicable fields.
Do not enforce on any users
When choosing this option, 2FA is not enforced on any users. Users will still be able to configure 2FA at their own discretion unless excluded via user or role.
You can easily confirm a user’s 2FA status through the Users page, where you will find a 2FA Status column with the current 2FA status for that use.
Remember me (Trusted devices)
When enabled, the 2FA trusted devices feature allows users to add devices as trusted devices, so they do not have to authenticate using 2FA for the configured period, which administrators can set to last between 15 to 60 days. One thing worth noting is that the trusted device feature is device-dependant. As such, if the user tries to log in from another device, they will still be asked to authenticate via 2FA.
This feature works through cookies stored on the user’s browser. As a security precaution, administrators can also configure the feature to ask the user to authenticate via 2FA when their IP address is different from the one listed in the cookie.
2FA policies per user role
WP 2FA allows you to configure different 2FA policies for each user role on your WordPress website. You have the option of setting up a Site-wide policy, which will apply to all users, and role-specific 2FA policies, which will only apply to users who are members of that role.
Through this feature, you can set up different policies, including available 2FA methods, availability and length of a grace period, and much more for different users and roles. For example, you could set stricter policies for admins while giving regular users more leeway.
Through the white labeling feature, administrators and WordPress website owners can change the look and feel of various elements in the 2FA code page and 2FA wizard. You can change the font, messaging, colors, and logo to reflect your branding, helping you ensure a consistent user experience throughout the entire user journey,
WP 2FA reports offer administrators an easy way to stay on top of 2FA. Through the pre-configured reports, administrators can easily see the 2FA status of every role and user, including who has 2FA configured and which method they’re using.
While reports are updated automatically, administrators can also request the latest updates at any point at the click of a button - ensuring they are always kept up to date of 2FA implementation on their website.
Emails remain one of the most widely-used forms of electronic communication - one that all users are familiar with. WP 2FA uses email to communicate with users at various points, including when sending code and links (when configured as a 2FA method) as well as informing users when their accounts are locked and unlocked.
All emails are fully editable, including the subject and the body of the email. Furthermore, template tags are included with every email, which allows you to automatically customize each email sent for the user it is being sent to.