This plugin prevents logged in users from doing anything on your wordpress.org blog until they have verified their second factor of authentication. The process goes like this:
- A user logs into your blog.
- Behind the scenes a bunch of cryptographic stuff happens and a key is generated and attached to that user. The key is overwritten with a new one every single time they log in. This key is emailed to that user (via the email address the user is registered under.)
- The user gets the email with the code.
- The user then enters the code at the page which is now presented to them when they are trying to access your blog
- Behind the scenes the token is checked for validity, and a cookie is added to the users session. They are now allowed access to your blog. If the key changes (the user logs out, or is required to log in again) the cookie that they may have been using will no longer be valid and they will be asked to enter the new one that they get via email.