To-faktor

Beskrivelse

The Two-Factor plugin adds an extra layer of security to your WordPress login by requiring users to provide a second form of authentication in addition to their password. This helps protect against unauthorized access even if passwords are compromised.

Oppsettsinstruksjoner

Important: Each user must individually configure their two-factor authentication settings. There are no site-wide settings for this plugin.

For individuelle brukere

1. Navigate to your profile: Go to «Users» → «Your Profile» in the WordPress admin
2. Find Two-Factor Options: Scroll down to the «Two-Factor Options» section
3. Choose your methods: Enable one or more authentication providers (noting a site admin may have hidden one or more so what is available could vary):
   • Authenticator App (TOTP) – Use apps like Google Authenticator, Authy, or 1Password
   • E-postkoder – Receive one-time codes via email
   • FIDO U2F Security Keys – Use physical security keys (requires HTTPS)
   • Backup Codes – Generate one-time backup codes for emergencies
   • Dummy Method – For testing purposes only (requires WP_DEBUG)
4. Configure each method: Follow the setup instructions for each enabled provider
5. Set primary method: Choose which method to use as your default authentication
6. Save changes: Click «Update Profile» to save your settings

For nettstedsadministratorer

• No global settings: This plugin operates on a per-user basis only. For more, see GH#249.
• User management: Administrators can configure 2FA for other users by editing their profiles
• Security recommendations: Encourage users to enable backup methods to prevent account lockouts

Available Authentication Methods

Authenticator App (TOTP) – Recommended

• Security: High – Time-based one-time passwords
• Setup: Scan QR code with authenticator app
• Compatibility: Works with Google Authenticator, Authy, 1Password, and other TOTP apps
• Best for: Most users, provides excellent security with good usability

Backup Codes – Recommended

• Security: Medium – One-time use codes
• Setup: Generate 10 backup codes for emergency access
• Compatibility: Works everywhere, no special hardware needed
• Best for: Emergency access when other methods are unavailable

E-postkoder

• Security: Medium – One-time codes sent via email
• Setup: Automatic – uses your WordPress email address
• Compatibility: Works with any email-capable device
• Best for: Users who prefer email-based authentication

FIDO U2F Security Keys

• Security: High – Hardware-based authentication
• Setup: Register physical security keys (USB, NFC, or Bluetooth)
• Requirements: HTTPS connection required, compatible browser needed
• Browser Support: Chrome, Firefox, Edge (varies by key type)
• Best for: Users with security keys who want maximum security

Dummy Method

• Security: None – Always succeeds
• Setup: Only available when WP_DEBUG is enabled
• Purpose: Testing and development only
• Best for: Developers testing the plugin

Important Notes

HTTPS Requirement

• FIDO U2F Security Keys require an HTTPS connection to function
• Other methods work on both HTTP and HTTPS sites

Browser Compatibility

• FIDO U2F requires a compatible browser and may not work on all devices
• TOTP and email methods work on all devices and browsers

Account Recovery

• Always enable backup codes to prevent being locked out of your account
• If you lose access to all authentication methods, contact your site administrator

Security Best Practices

• Bruk flere autentiseringsmetoder når mulig.
• Keep backup codes in a secure location
• Regularly review and update your authentication settings

For more information about two-factor authentication in WordPress, see the WordPress Advanced Administration Security Guide.

For mer historikk, se dette innlegget.

Handlinger og filtre

Her er en liste over handlings- og filter-knagger som tilbys i utvidelsen:

• Filteret two_factor_providers overstyrer de tilgjengelige tofaktorleverandørene som e-post- og tidsbaserte engangspassord. Rekkeverdiene er PHP-klassnavn for tofaktor-leverandørene.
• Filteret two_factor_providers_for_user overstyrer de tilgjengelige tofaktorleverandørene for en bestemt bruker. Rekkeverdiene er instanser av leverandørklassser, og brukerobjektet WP_User er tilgjengelig som det andre argumentet.
• Filteret two_factor_enabled_providers_for_user overstyrer listen over to-faktor-leverandører slått på for en bruker. Første argument er en rekke påslåtte leverandør-klassenavn som verdier, det andre argumentet er bruker-id-en.
• Handlingen two_factor_user_authenticated, som mottar den innloggede WP_User-objektet som det første argumentet, for å fastsette den innloggede brukeren like etter autentiseringen.
• two_factor_user_api_login_enable-filteret begrenser autentiseringen for REST API og XML-RPC til kun applikasjons passord. Gir bruker-ID som det andre argumentet.
• Filteret two_factor_token_ttl overstyrer det tidsintervallet i sekunder som et e-postadgangstegn tas i betraktning etter generering. Aksepterer tiden i sekunder som det første argumentet og id-en til objektet WP_User som skal autentiseres.
• Filteret two_factor_email_token_length overstyrer den standard 8-tegnsgrensen for adgangstegn via e-post.
• Filteret two_factor_backup_code_length overstyrer den standard 8-tegnsgrensen for reservekoder. Leverer WP_User for den tilknyttede brukeren som det andre argumentet.
• Filteret two_factor_rest_api_can_edit_user overstyrer hvirvidt en brukers tofaktor-innstillinger kan redigeres via RAT API. Det første argumentet er den nåværende boolske $can_edit, det andre er bruker-id.
• two_factor_before_authentication_prompt action which receives the provider object and fires prior to the prompt shown on the authentication input form.
• two_factor_after_authentication_prompt action which receives the provider object and fires after the prompt shown on the authentication input form.
• two_factor_after_authentication_inputaction which receives the provider object and fires after the input shown on the authentication input form (if form contains no input, action fires immediately after two_factor_after_authentication_prompt).