Description

Use the “Two-Factor Options” section under “Users” → “Your Profile” to enable and configure one or multiple two-factor authentication providers for your account:

Email codes
Time Based One-Time Passwords (TOTP)
FIDO Universal 2nd Factor (U2F)
Backup Codes
Dummy Method (only for testing purposes)

For more history, see this post.

Actions & Filters

Here is a list of action and filter hooks provided by the plugin:

two_factor_providers filter overrides the available two-factor providers such as email and time-based one-time passwords. Array values are PHP classnames of the two-factor providers.
two_factor_enabled_providers_for_user filter overrides the list of two-factor providers enabled for a user. First argument is an array of enabled provider classnames as values, the second argument is the user ID.
two_factor_user_authenticated action which receives the logged in WP_User object as the first argument for determining the logged in user right after the authentication workflow.
two_factor_token_ttl filter overrides the time interval in seconds that an email token is considered after generation. Accepts the time in seconds as the first argument and the ID of the WP_User object being authenticated.

Get Involved

Development happens on GitHub. Join the #core-passwords channel on WordPress Slack (sign up here).

Here is how to get started:

$ git clone https://github.com/wordpress/two-factor.git
$ npm install

Then open a pull request with the suggested changes.

Screenshots

Two-factor options under User Profile.
U2F Security Keys section under User Profile.
Email Code Authentication during WordPress Login.

Reviews

Devyn Brugge December 1, 2021

Really lightweight plugin, it seemed safe to implement and worked for day until admins reported issues. However, my case seems to be a conflict with Toolset Access and I am now having an impossible time trying to remove from my site. Even though I have deactivated, the combination of both these plugins seems to have corrupted the user access table. When an admin accesses the login page, we get a message "You don’t have permission to access this page." Sometimes, changing browsers/VPNs fixes it temporarily. There is no way to remove the plugin settings with uninstall.

Fahrenhe1t November 25, 2021

This plugin is great for increasing login security by enabling Yubikey 2-Factor Authentication (FIDO U2F), or Time-based One Time Passwords (TOTP). It's very impressive; as if the WordPress devs themselves integrated it. It even lets you create application-specific passwords (so you can log in with a password on the WordPress app).

natasha bryan November 20, 2021

This plugin has a super easy functioning and easy to use interface. This is the best plugin I have found here.

erikmelkersson November 15, 2021

Simple and does just what it should do without bloating. Thank you.

rezadan November 14, 2021

This plugin is great for providing multiple forms of 2FA.

Hyrules November 2, 2021

Excellent 2FA plugin for WordPress that does not require a third party. It will work with email, TOTP, hardware key and backup codes. Still a WIP but I see a lot of potential.

Read all 147 reviews