One-time password system conform RFC 2289 to protect your weblog in less trustworthy environments, like internet cafés.
No, but it could be.
No, if you plan to use a printed one-time password list only.
Yes, if you plan to use a one-time password generator, on your iPhone (not tried) or on Android (tried with success) or on mobile phones that support JavaME, for example using j2me-otp (not tried) or OTPGen (tried with success).
If you are using a one-time password generator, you can safely generate a new password list using a one-time password by entering this password in the pass-phrase field and by checking Pass-phrase is a One-Time Password. The sequence number should be entered into the Count/sequence field. In this case no password list will be displayed.
Revoke it as soon as possible. Generating a new one-time password list will revoke the existing list automatically. Do not generate a new one-time password list with the same pass-phrase, seed and algorithm (at least one should be different).
Yes, if you remember the pass-phrase, seed and algorithm, but the one-time password sequence will be reset.
Simply enter the password of your choice into the WordPress password box.
Because the new authenticate filter is used. See this article for more details.
Yes, since version 0.5.
Yes, since version 1.2.
Because this is a requirement of the PHP One-Time Passwords class and because the try-catch construction is used as a fail-safe for the login screen.
Users with manage_options capability, normally only administrators.
First of all the integration with the http:BL plugin has to be enabled using the settings menu. If enabled, you can navigate to the login url of your blog, even if http:BL would normally block it. A warning indication the age, level and threat type is displayed above the login window. You can login only using a one-time password, not with your user name and password. After logging in, you can navigate to any part of your weblog, until you sign out. Note that before logging in only wp-login.php is available and no other addresses like /wp-admin/.
I recommend installing Invalidate Logged Out Cookies for more security.
If you enable the option to disable Bad Behavior on the login page using the settings menu the Bad Behavior plugin will be disabled. To re-enabled the Bad Behavior plugin you have to disable this option first. When this option is enabled the one-time password plugin will load the Bad Behavior plugin instead of WordPress, except for the login page and for every other page when you are logged in using a one-time password. Unfortunately it is not possible (yet) to display a warning on the login page that Bad Behavior would block access.
No, RFC 4226 requires a symmetric key, which should be stored. WordPress does not provide a safe way to store keys.
You can write a comment on the support page.