Two Factor

설명

The Two-Factor plugin adds an extra layer of security to your WordPress login by requiring users to provide a second form of authentication in addition to their password. This helps protect against unauthorized access even if passwords are compromised.

Setup Instructions

Important: Each user must individually configure their two-factor authentication settings. There are no site-wide settings for this plugin.

For Individual Users

1. Navigate to your profile: Go to “Users” → “Your Profile” in the WordPress admin
2. Find Two-Factor Options: Scroll down to the “Two-Factor Options” section
3. Choose your methods: Enable one or more authentication providers (noting a site admin may have hidden one or more so what is available could vary):
   • Authenticator App (TOTP) – Use apps like Google Authenticator, Authy, or 1Password
   • Email Codes – Receive one-time codes via email
   • FIDO U2F Security Keys – Use physical security keys (requires HTTPS)
   • Backup Codes – Generate one-time backup codes for emergencies
   • Dummy Method – For testing purposes only (requires WP_DEBUG)
4. Configure each method: Follow the setup instructions for each enabled provider
5. Set primary method: Choose which method to use as your default authentication
6. Save changes: Click “Update Profile” to save your settings

For Site Administrators

• No global settings: This plugin operates on a per-user basis only. For more, see GH#249.
• User management: Administrators can configure 2FA for other users by editing their profiles
• Security recommendations: Encourage users to enable backup methods to prevent account lockouts

Available Authentication Methods

Authenticator App (TOTP) – Recommended

• Security: High – Time-based one-time passwords
• Setup: Scan QR code with authenticator app
• Compatibility: Works with Google Authenticator, Authy, 1Password, and other TOTP apps
• Best for: Most users, provides excellent security with good usability

Backup Codes – Recommended

• Security: Medium – One-time use codes
• Setup: Generate 10 backup codes for emergency access
• Compatibility: Works everywhere, no special hardware needed
• Best for: Emergency access when other methods are unavailable

Email Codes

• Security: Medium – One-time codes sent via email
• Setup: Automatic – uses your WordPress email address
• Compatibility: Works with any email-capable device
• Best for: Users who prefer email-based authentication

FIDO U2F Security Keys

• Security: High – Hardware-based authentication
• Setup: Register physical security keys (USB, NFC, or Bluetooth)
• Requirements: HTTPS connection required, compatible browser needed
• Browser Support: Chrome, Firefox, Edge (varies by key type)
• Best for: Users with security keys who want maximum security

Dummy Method

• Security: None – Always succeeds
• Setup: Only available when WP_DEBUG is enabled
• Purpose: Testing and development only
• Best for: Developers testing the plugin

Important Notes

HTTPS Requirement

• FIDO U2F Security Keys require an HTTPS connection to function
• Other methods work on both HTTP and HTTPS sites

Browser Compatibility

• FIDO U2F requires a compatible browser and may not work on all devices
• TOTP and email methods work on all devices and browsers

Account Recovery

• Always enable backup codes to prevent being locked out of your account
• If you lose access to all authentication methods, contact your site administrator

Security Best Practices

• Use multiple authentication methods when possible
• Keep backup codes in a secure location
• Regularly review and update your authentication settings

For more information about two-factor authentication in WordPress, see the WordPress Advanced Administration Security Guide.

더 많은 역사에 대해서는 이 글을 참조하세요.

액션 및 필터

여기 플러그인에서 제공하는 액션 및 필터 훅 목록이 있습니다:

• two_factor_providers 필터는 이메일 및 시간 기반 일회성 비밀번호와 같은 사용 가능한 이중 인증 제공자를 재정의합니다. 배열 값은 이중 인증 제공자의 PHP 클래스 이름입니다.
• two_factor_providers_for_user 필터는 특정 사용자를 위한 사용 가능한 이중 인증 제공자를 재정의합니다. 배열 값은 제공자 클래스의 인스턴스이며, 사용자 객체 WP_User는 두 번째 인수로 사용 가능합니다.
• two_factor_enabled_providers_for_user 필터는 사용자에게 활성화된 2단계 인증 제공자의 목록을 재정의합니다. 첫 번째 인수는 값으로 활성화된 제공자 클래스 이름의 배열이며, 두 번째 인수는 사용자 ID입니다.
• two_factor_user_authenticated 액션은 인증 워크플로우 직후 로그인된 WP_User 객체를 첫 번째 인수로 받아 로그인된 사용자를 결정합니다.
• two_factor_user_api_login_enable filter restricts authentication for REST API and XML-RPC to application passwords only. Provides the user ID as the second argument.
• two_factor_email_token_ttl 필터는 이메일 토큰이 생성된 후 고려되는 시간 간격(초)을 재정의합니다. 첫 번째 인수로 초 단위의 시간을 받고, 인증되는 WP_User 객체의 ID를 받습니다.
• two_factor_email_token_length 필터는 이메일 토큰의 기본 8자 수를 재정의합니다.
• two_factor_backup_code_length filter overrides the default 8 character count for backup codes. Provides the WP_User of the associated user as the second argument.
• two_factor_rest_api_can_edit_user filter overrides whether a user’s Two-Factor settings can be edited via the REST API. First argument is the current $can_edit boolean, the second argument is the user ID.
• two_factor_before_authentication_prompt action which receives the provider object and fires prior to the prompt shown on the authentication input form.
• two_factor_after_authentication_prompt action which receives the provider object and fires after the prompt shown on the authentication input form.
• two_factor_after_authentication_inputaction which receives the provider object and fires after the input shown on the authentication input form (if form contains no input, action fires immediately after two_factor_after_authentication_prompt).