Adding a step to authentication

There is probably a way to do this, but it would just be security theater. Once the user is authenticated, they can access anything they have a right to by simply sending another request, without going through your extra page.

Any extra security measures you would want to implement would either have to be part of the initial login page or part of the actual authenticate process. You could hook ‘authenticate’ and implement additional security this way. You control the authentication by what your callback returns, so this hook would be true security.

I don’t think you can output any content from this hook is the problem. Maybe your extra page could be a popup caused by javascript when the login form is submitted. The popup requests further action from the user, then sends an AJAX request that sets a transient flag indicating authentication can proceed. In the meantime, your authenticate callback is simply idling, waiting for the transient to be set. If it is never set, the script will just eventually time out.

Just an idea, I’ve no experience to confirm this is even a viable procedure or not. All I know is doing something after authentication is meaningless.

It’s never a good idea to alter WP core code. You could certainly write your own login page and direct users to that one to login. The problem would be WP will continue to try to use wp-login.php for any number of reasons. I would think a .htaccess directive would take care of that, unless I’m missing something. I know others have rewritten the login page, but I’m not really sure how they managed it.

From the sounds of it, what you are trying to do could be accomplished through adding another field, yet you’ve chosen not to. Out of mere curiosity, what are you hoping to gain by doing this through a second page instead of an extra field?

I just don’t see how entering a given code on a separate page is any different than entering it on the initial form.

I suppose it depends on how that code is generated. If it’s just a random string unrelated to the user, then I don’t see the advantage. If it is something related to a specific user, such as a pre-arranged security question, then I get it, since you can’t know what to send to the user until you know who the user is.

The problem with your scheme is how WP handles authentication. If you must know if the password is valid before the second step, you basically need to do your own authentication because letting WP do it would render your second step superfluous. The only way to do that is to redirect requests to wp-login.php to your own version of a login page.

I don’t think verifying the password prior to the second step is really gaining any extra security, you just really need to know the username. You could perhaps add the second step content to the initial login form using javascript. Onchange of the username field, make an AJAX request for second step content, which is placed into an empty container on the form inserted previously via a filter hook.

Of course, what ever the second step content is cannot be anything sensitive since anyone knowing or guessing the username would be able to view it. Something to consider?

To continue with your original scheme, copy wp-login.php into a different file. Change something so you can be sure your version is being called. Add a redirect to your new page in .htaccess. Test to be sure everything is working correctly with the new configuration.

If that checks out, restructure the login case to do your own password check, after which the second step content is output. The submit from that then goes to a new case that checks the second step submit and if correct, sets the auth cookie and redirects as was previously done in the login case. Be sure to use some sort of nonce scheme so no one can bypass the password step and just submit the second step form directly.

The WP nonce scheme is not the most secure because the same nonce can be reused indefinitely for 24 hours. Best to have a nonce scheme that can truly be used only once.