Two Factor Authentication Pro

Scroll down the page to see screenshots of this plugin in action.

“Two Factor Authentication” (TFA) is a tried-and-tested way to secure your WordPress site from unwanted logins.

By default, WordPress is protected only by a password. Once somebody guesses your password, they have all access. “Two Factor” security is about adding a second factor. This plugin uses the most popular implementation of TFA: one-time codes that are shown on your phone/tablet/other device, but which do not require you to be connected to a network (i.e. you don’t need to be online/receiving SMSes, etc.).

Features:

• Supports standard TOTP + HOTP protocols (and so supports Google Authenticator, Authy, and many others).
• Displays graphical QR codes for easy scanning into apps on your phone/tablet
• TFA can be made available on a per-role basis (e.g. available for admins, but not for subscribers)
• TFA can be turned on or off by each user
• TFA can be made compulsory for chosen user roles (e.g. for all admins and editors), after a configurable time period to allow them to set it up (e.g. after 7 days)
• Supports front-end editing of settings – any layout you wish (using standard WordPress shortcodes)
• Site owners can allow “trusted devices” on which TFA codes are only asked for a chosen number of days (instead of every login); e.g. 30 days
• Includes native support for the built-in WordPress, WooCommerce, Theme My Login, Elementor, Affiliates-WP, CozmosLabs Profile Builder, Gravity Forms User Registration add-on, bbPress and WP Members login forms; also supports any login form at all via appending your TFA code to your password (e.g. works with login forms that don’t follow internal WP conventions)
• Optional anti-bot protection on WooCommerce login forms, hiding the existence of the form unless JavaScript is active.
• Does not mention or request second factor until the user has been identified as one with TFA enabled (i.e. nothing is shown to users who do not have it enabled)
• Encrypt the TFA-generating secret keys using an on-disk encryption key, so that an attacker would need to break into both your WordPress database and your files in order to break TFA codes (as well as breaking a user’s password in order to use them).
• WP Multisite compatible (plugin should be network activated)
• Simplified user interface and code base for ease of use and performance
• Emergency codes for when you lose your phone/tablet
• Administrators can access other users’ codes, and turn them on/off when needed
• Translatable – we have a website where you can easily add translations into your own language, if you wish
• Alert users if someone appears to have found out their password, as indicated by successfully entering a password but repeatedly entering an incorrect TFA code.

All WordPress versions from 3.4 onwards, including the current release, are supported.