Two Factor Authentication

plugin banner

Secure WordPress login with Two Factor Authentication – supports WooCommerce, front-end configuration, HOTP + TOTP (Google Authenticator, Authy, etc.)

Author:David Anderson, original plugin by Oskar Hane and enhanced by Dee Nutbourne (profile at wordpress.org)
WordPress version required:3.4
WordPress version tested:6.5
Plugin version:1.14.17
Added to WordPress repository:20-03-2015
Last updated:16-03-2024
Rating, %:88
Rated by:77
Plugin URI:https://www.simbahosting.co.uk/s3/product/two...
Total downloads:724 657
Active installs:20 000+
plugin download
Click to start download

Secure WordPress login with this two factor authentication (TFA / 2FA) plugin. Users for whom it is enabled will require a one-time code in order to log in. From the authors of UpdraftPlus – WP’s #1 backup/restore plugin, with over two million active installs.

Are you completely new to TFA? If so, please see our FAQ.

Features (please see the “Screenshots” for more information):

  • Supports standard TOTP + HOTP protocols (and so supports Google Authenticator, Authy, and many others).
  • Displays graphical QR codes for easy scanning into apps on your phone/tablet
  • TFA can be made available on a per-role basis (e.g. available for admins, but not for subscribers)
  • TFA can be turned on or off by each user
  • TFA can be required for specified user levels, after a defined time period (e.g. require all admins to have TFA, once their accounts are a week old) (Premium version), including forcing them to immediately set up (by redirecting them to the page to do so)
  • Supports front-end editing of settings, via [twofactor_user_settings] shortcode (i.e. users don’t need access to the WP dashboard). (The Premium version allows custom designing of any layout you wish).
  • Site owners can allow “trusted devices” on which TFA codes are only asked for a chosen number of days (instead of every login); e.g. 30 days (Premium version)
  • Encrypt the TFA-generating secret keys using an on-disk encryption key, so that an attacker would need to break into both your WordPress database and your files in order to break TFA codes (as well as breaking a user’s password in order to use them)
  • Works together with “Theme My Login” (both forms and widgets)
  • Includes support for the WooCommerce and Affiliates-WP login forms
  • Includes support for CozmosLabs Profile Builder
  • Includes support for Elementor Pro login forms (Premium version)
  • Includes support for bbPress login forms (Premium version)
  • Includes support for login forms from the Gravity Forms User Registration add-on (Premium version)
  • Includes support for any and every third-party login form (Premium version) without any further coding needed via appending your TFA code to the end of your password
  • Does not mention or request second factor until the user has been identified as one with TFA enabled (i.e. nothing is shown to users who do not have it enabled)
  • WP Multisite compatible (plugin should be network activated)
  • Simplified user interface and code base for ease of use and performance
  • Added a number of extra security checks to the original forked code
  • Alert users if someone appears to have found out their password, as indicated by successfully entering a password but repeatedly entering an incorrect TFA code.
  • Emergency codes for when you lose your phone/tablet (Premium version)
  • When using the front-end shortcode (Premium version), require the user to enter the current TFA code correctly to be able to activate TFA
  • Works together with “WP Members” (shortcode form)
  • Administrators can access other users’ codes, and turn them on/off when needed (Premium version)

Why use TFA / 2FA ?

Read this! https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/

How Does TFA / 2FA Work?

This plugin uses the industry standard TFA / 2FA algorithm TOTP or HOTP for creating One Time Passwords. These are used by Google Authenticator, Authy, and many other OTP applications that you can deploy on your phone etc.

A TOTP code is valid for a certain time. Whatever program you use (i.e. Google Authenticator, etc.) will show a different code every so often.

Plugin Notes

This plugin began life in early 2015 as a friendly fork and enhancement of Oscar Hane’s “two factor auth” plugin.


Screenshots
FAQ
ChangeLog