Title: Two Factor Auth
Author: oskarhane
Published: Abril 20, 2013
Last modified: Juliol 29, 2014
---
Search plugins
This plugin **hasn’t been tested with the latest 3 major releases of WordPress**.
It may no longer be maintained or supported and may have compatibility issues when
used with more recent versions of WordPress.
# Two Factor Auth
By [oskarhane](https://profiles.wordpress.org/oskarhane/)
[Download](https://downloads.wordpress.org/plugin/two-factor-auth.4.4.zip)
* [Details](https://bal.wordpress.org/plugins/two-factor-auth/#description)
* [Reviews](https://bal.wordpress.org/plugins/two-factor-auth/#reviews)
* [Installation](https://bal.wordpress.org/plugins/two-factor-auth/#installation)
* [Development](https://bal.wordpress.org/plugins/two-factor-auth/#developers)
[Support](https://wordpress.org/support/plugin/two-factor-auth/)
## Description
Secure WordPress login with this two factor auth. Users will have to enter an One
Time Password when they log in.
#### Why You Need This
Users can have common or weak passwords that lets hackers/bots brute-force your
WordPress site and gain access to your files and place malware there.
Just like
happend not that long ago: [Article on TechCrunch](http://techcrunch.com/2013/04/12/hackers-point-large-botnet-at-wordpress-sites-to-steal-admin-passwords-and-gain-server-access/)
If all sites would have used this plugin, this would never happend.
It doesn’t
matter how weak your users passwords are, no one can gain access to your WordPress
site without already having access to the users mobile phone or email inbox (depending
on how the user gets his OTP).
#### How Does It Work?
This plugin uses the industry standard algorithm [TOTP](http://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm)
or [HOTP](http://en.wikipedia.org/wiki/HMAC-based_One-time_Password_Algorithm) for
creating One Time Passwords.
A OTP is valid for a certain time and after that a
new code has to be entered.
You can now choose to use third party apps like [Google Authenticator](http://code.google.com/p/google-authenticator/)
which is available for most mobile platforms. You can really use any
third party
app that supports TOTP/HOTP that generates 6 digits OTP’s. Or, as before, you can
choose to get your One Time Passwords by email.
Since you have to enter a secret code to third party apps, email is the default
way of delivering One Time Passwords. Your
users will have to activate delivery
by third party apps themselves.
#### Easy To Use
Just install this plugin and you’re all set. There’s really nothing more to it.
If you want to use a third party app, goto Two Factor Auth in the admin menu and
activate it and set up your app. General settings can be found uner Settings ->
Two Factor Auth in admin menu. Settings for each individual user can be found at
the root level of the admin menu, in Two Factor Auth. A bit more work to get logged
in, but a whole lot more secure!
If you use WooCommerce or other plugins that make custom login forms, you will not
be able to login through those anymore.
I will be adding a plugin that puts a One
Time Password field to WooCommerce. If you use some other plugin that needs support
for this, let me know in the support forum.
#### TOTP or HOTP
Which algorithm you and your users choose doesn’t really matter. The time based
TOTP is a bit more secure since a One Time
Password is valid only for a certain
amount of time. But this requires the server time to be in sync the clients time(
if the OTP isn’t delivered by email). This is often hard to do with embedded clients
and the event based HOTP is then a better choice. If you have a somewhat slow email
server and have chosen email delivery, you might not get the TOTP in time.
Conslusion: Choose which ever you want. TOTP is a little bit safer since OTP:s only
are valid for a short period.
Note that email delivery users always uses the site default algorithm, which you
can set on the settings page. Third party
apps users can choose which one they
want.
#### Is this really Two Factor Auth?
Before version 3.0 this plugin had ‘kind of’ two factor auth where the OTP was delivered
to an email address.
Since version 3.0 you can have real two factor auth if you
activate the Third Party Apps delivery type.
Read more about [what two factor auth means >>](http://oskarhane.com/two-factor-auth-explained/).
See http://oskarhane.com/plugin-two-factor-auth-for-wordpress/ for more info.
## Screenshots
* [[
* The admin login page.
* [[
* The admin login page when the username and password is entered and an OTP is
asked for.
* [[
* User settings page where they choose delivery type.
* [[
* Admin settings page.
## Installation
Easy installation.
This plugin requires PHP version 5.3 or higher and support for [PHP mcrypt](http://www.php.net/manual/en/mcrypt.installation.php).
1. Upload _two-factor-auth.zip_ through the ‘Plugins’ menu in WordPress
2. Activate the plugin through the ‘Plugins’ menu in WordPress
or
1. Search for ‘Two Factor Auth’ in the ‘Plugins’ menu in WordPress.
2. Click the ‘Install’ button. (Make sure you picks the right one)
3. Activate the plugin through the ‘Plugins’ menu in WordPress
## FAQ
Can I have real Two Factor Auth?
Yes, since version 3.0 you can activate real Two Factor Auth by activating third
party apps option under “Two Factor Auth” in admin menu. Don’t forget to set up
your app with the secret key.
Oops, I lost my phone. What to do?
Hopefully you saved the three Panic Codes when you activated third party apps. Use
one of them.
If I can’t reach my email account, can I bypass this plugin and log in anyway?
If you have Panic Codes, you can use them. Otherwise, no.
## Reviews
### [Does not work with the latest version of WordPress](https://wordpress.org/support/topic/does-not-work-with-the-latest-version-of-wordpress-1/)
[DaBoogieCrew](https://profiles.wordpress.org/daboogiecrew/) Setembre 3, 2016 1
reply
Moved my site to the new hosting, and it just locked me down. Half a day later I
turned on all the PHP warning and saw that all over the place: Warning: mcrypt_decrypt():
Key of size 0 not supported by this algorithm. Only keys of sizes 16, 24 or 32 supported
in /usr/share/nginx/html/blog/wp-content/plugins/two-factor-auth/class.TFA.php on
line 394 Pretty messed up.
### [works just fine](https://wordpress.org/support/topic/works-just-fine-41/)
[Anonymous User 14595896](https://profiles.wordpress.org/anonymized-14595896/)
Setembre 3, 2016 1 reply
This plugin works just fine and does exactly what it shall do. One recommendation
would be to provide a guide to the user how to setup his yubikey on the settings-
screen. Do not use the forked version “two factor authentication” from the makers
of updraft plus as that version is crippled and they want to force you into buying
the premium version. Use this one instead, it works great.
[ Read all 22 reviews ](https://wordpress.org/support/plugin/two-factor-auth/reviews/)
## Contributors & Developers
“Two Factor Auth” is open source software. The following people have contributed
to this plugin.
Contributors
* [ oskarhane ](https://profiles.wordpress.org/oskarhane/)
[Translate “Two Factor Auth” into your language.](https://translate.wordpress.org/projects/wp-plugins/two-factor-auth)
### Interested in development?
[Browse the code](https://plugins.trac.wordpress.org/browser/two-factor-auth/),
check out the [SVN repository](https://plugins.svn.wordpress.org/two-factor-auth/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/two-factor-auth/)
by [RSS](https://plugins.trac.wordpress.org/log/two-factor-auth/?limit=100&mode=stop_on_copy&format=rss).
## Changelog
#### 4.4
* Added spanish translation, thanks to Andrew Kurtis at [WebHostingHub](http://www.webhostinghub.com)
for that.
* Added settings section to change the OTP email from address and name on admin
settings page. Thanks to Denny Cherry at [Denny Cherry & Associates Consulting](http://www.dcac.co)
for that.
#### 4.3.5
* Inserting the TFA Form as first element in form. Enables sending the form with
return-key in all browsers.
* Updated Tested up to version to 3.9.1
#### 4.3.4
* Removed autocomplete on OTP field. Thanks to https://github.com/edent
#### 4.3.3
* Last release introduced a email login bug that is fixed in this version.
#### 4.3.2
* You can now enter an email address instead of an username to generate an OTP
email.
#### 4.3.1
* Successfully tested in WP 3.8
#### 4.3
* All new layout on the login page. Now the OTP field and button won’t be shown
until an activated user has entered their login details. Users that belongs to
non activated groups will not see any difference from a regular login form.
* Fixed an error where a PHP NOTICE was shown on user settings page when WP_DEBUG
was set to true. (thnx Thomas van der Beek)
#### 4.2.4
Just added “Tested up to” tag in readme since it works fine in WP 3.7. Next version
with some updates will come soon.
#### 4.2.3
* Just updated the “Tested up to” tag in readme. It works fine.
#### 4.2.2
* XMLRPC users are now availale to post again. Settings for this is in Settings-
>TFA.
* Added a help text when the OTP-button on ligon page is clicked so people know
that the OTP is coming to their email.
#### 4.2.1
* The plugin now checks all login forms, not depending on form field names.
#### 4.2
* Added support for HOTP!
* If HOTP is going close to off sync, the user is noticed.
* Fixed an unclosed on admin settings page.
* Email delivery users always use the site default algorithm.
#### 4.1.2
* Added German translation (Thanks Michael Schwark)
* Added Chilean Spanish translation (Thanks Michael Schwark)
* Fixed css property bug on OTP button so it looks nice in all browsers.
#### 4.1.1
* Fixed a bug where the button on the lost password page got disabled.
#### 4.1
* Added language/localization support. Please send me your translations .po-files
* get_users needs WP 3.1.0. Changing the requirements for the plugin.
#### 4.0.2
* Added PHP 5.3 check at activation
* Added mcrypt support check at activation
* Removed namespace in the Base32 class for better PHP support.
#### 4.0.1
* Made the button on the login page blue so it’s more clear that it’s a button.
* Fixed some typos.
#### 4.0
* All keys and panic codes are now encrypted in the database, as they should be.
* Panic codes are now based on your key.
* Users find their settings in root level of the admin menu.
* Only user roles with TFA activated see the admin menu item.
* Nicer/cleaner UI for users.
* Upgrade script for older installations. Must be executed by admin right after
plugin update. Manually.
* Refactored all code and made it class based.
#### 3.0.4
Fixed a bug where a OTP could be used twice.
#### 3.0.3
* Added limitation to one login per time window (30 seconds).
#### 3.0.2
* Fixed a bug where emails for some installations didn’t work. Thanks to Matías
at [http://www.periodicoellatino.es](http://www.periodicoellatino.es) for the
help.
* Change to jQuery for making a POST request because of easier cross browser support.
#### 3.0.1
Fixed so users get alerted of they don’t enter a username before clicking the OTP
button on the login page.
#### 3.0
* Added TOTP as the OTP generator. Compatible with Google Authenticator and other
third party auth apps.
* Added user settings page where they can activate usage of third party apps instead
of email delivery of code.
* Added OTP field to standard login form instead of a middle page.
* Added Panic Codes which users can use if they loose their phone, change email
etc.
* Removed second login screen.
* Updated admin settings page. Admins can now change user delivery of codes back
to email if users loose their phone etc.
#### 2.1
* Fixed warning message on admin settings page (thanks Joi)
* Hooks into a filter now so other plugins like Better WP Security, Limit Login
Attemps etc. get a chance to log a failed login
* Error message are now displayed when the entered code was wrong
* Code length is not fixed any more. It can be 5 or 6 characters. Removed som easy
to mix charaters as well (1 and I).
#### 2.0
* Admin settings menu where you can choose which user roles that will have this
activated. There will still be a second screen where the not activated user roles
enter their password, but the One Time Password field is hidden.
#### 1.1
* Removed password field from regular login page and added it to the second page
where the user now enters both the emailed code and the password.
#### 1.0
* Initial release
## Meta
* Version **4.4**
* Last updated **12 anys ago**
* Active installations **10+**
* WordPress version ** 3.1.0 or higher **
* Tested up to **3.9.40**
* Language
* [English (US)](https://wordpress.org/plugins/two-factor-auth/)
* Tags
* [auth](https://bal.wordpress.org/plugins/tags/auth/)[authenticate](https://bal.wordpress.org/plugins/tags/authenticate/)
[login](https://bal.wordpress.org/plugins/tags/login/)[security](https://bal.wordpress.org/plugins/tags/security/)
[two factor auth](https://bal.wordpress.org/plugins/tags/two-factor-auth/)
* [Advanced View](https://bal.wordpress.org/plugins/two-factor-auth/advanced/)
## Ratings
4.6 out of 5 stars.
* [ 20 5-star reviews ](https://wordpress.org/support/plugin/two-factor-auth/reviews/?filter=5)
* [ 0 4-star reviews ](https://wordpress.org/support/plugin/two-factor-auth/reviews/?filter=4)
* [ 0 3-star reviews ](https://wordpress.org/support/plugin/two-factor-auth/reviews/?filter=3)
* [ 0 2-star reviews ](https://wordpress.org/support/plugin/two-factor-auth/reviews/?filter=2)
* [ 2 1-star reviews ](https://wordpress.org/support/plugin/two-factor-auth/reviews/?filter=1)
[Add my review](https://wordpress.org/support/plugin/two-factor-auth/reviews/#new-post)
[See all reviews](https://wordpress.org/support/plugin/two-factor-auth/reviews/)
## Contributors
* [ oskarhane ](https://profiles.wordpress.org/oskarhane/)
## Support
Got something to say? Need help?
[View support forum](https://wordpress.org/support/plugin/two-factor-auth/)