{"id":279007,"date":"2026-02-17T08:47:06","date_gmt":"2026-02-17T08:47:06","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/flavor-2fa\/"},"modified":"2026-02-17T08:46:58","modified_gmt":"2026-02-17T08:46:58","slug":"flavor-2fa","status":"publish","type":"plugin","link":"https:\/\/bal.wordpress.org\/plugins\/flavor-2fa\/","author":6345640,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"1.0.0","stable_tag":"1.0.0","tested":"6.9.4","requires":"5.0","requires_php":"8.0","requires_plugins":null,"header_name":"Flavor 2FA","header_author":"Aris Kuckovic","header_description":"Lightweight two-factor authentication that just works. Protect your WordPress site with authenticator apps (Google Authenticator, Authy, 1Password) or email verification codes. Simple setup, powerful security.","assets_banners_color":"5956eb","last_updated":"2026-02-17 08:46:58","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/branchout.dk\/","header_author_uri":"","rating":0,"author_block_rating":0,"active_installs":0,"downloads":154,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.0":{"tag":"1.0.0","author":"Kuckovic","date":"2026-02-17 08:46:58"}},"upgrade_notice":{"1.0.0":"<p>Initial release of Flavor 2FA. Protect your WordPress site with two-factor authentication.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3463223,"resolution":"128x128","location":"assets","locale":""},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3463223,"resolution":"256x256","location":"assets","locale":""}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3463223,"resolution":"1544x500","location":"assets","locale":""},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3463223,"resolution":"772x250","location":"assets","locale":""}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.0"],"block_files":[],"assets_screenshots":[],"screenshots":{"1":"Clean verification screen matching WordPress login styling","2":"Easy 3-step setup process with QR code","3":"Recovery codes for emergency access","4":"Admin settings page","5":"User management with 2FA status"},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[9211,602,600,9225,1909],"plugin_category":[38,54],"plugin_contributors":[130901],"plugin_business_model":[],"class_list":["post-279007","plugin","type-plugin","status-publish","hentry","plugin_tags-2fa","plugin_tags-login","plugin_tags-security","plugin_tags-totp","plugin_tags-two-factor-authentication","plugin_category-authentication","plugin_category-security-and-spam-protection","plugin_contributors-kuckovic","plugin_committers-kuckovic"],"banners":{"banner":"https:\/\/ps.w.org\/flavor-2fa\/assets\/banner-772x250.png?rev=3463223","banner_2x":"https:\/\/ps.w.org\/flavor-2fa\/assets\/banner-1544x500.png?rev=3463223","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/flavor-2fa\/assets\/icon-128x128.png?rev=3463223","icon_2x":"https:\/\/ps.w.org\/flavor-2fa\/assets\/icon-256x256.png?rev=3463223","generated":false},"screenshots":[],"raw_content":"<!--section=description-->\n<p><strong>Flavor 2FA<\/strong> adds powerful two-factor authentication to your WordPress site without the complexity. No bloat, no confusing settings \u2013 just solid security that protects your site from unauthorized access.<\/p>\n\n<h4>Why Flavor 2FA?<\/h4>\n\n<ul>\n<li><strong>Zero configuration needed<\/strong> \u2013 Works out of the box<\/li>\n<li><strong>Native WordPress styling<\/strong> \u2013 Feels like part of WordPress<\/li>\n<li><strong>Two verification methods<\/strong> \u2013 Authenticator apps (Google Authenticator, Authy, 1Password) or email codes<\/li>\n<li><strong>User-friendly setup<\/strong> \u2013 Guided 3-step process with QR code scanning<\/li>\n<li><strong>Complete admin control<\/strong> \u2013 Force 2FA, reset users, manage lockouts<\/li>\n<\/ul>\n\n<h4>Features<\/h4>\n\n<p><strong>For Users:<\/strong>\n* Choose between authenticator app or email verification\n* 10 recovery codes for emergency access\n* \"Trust this device\" option to skip 2FA on personal devices\n* Simple, clean verification screens<\/p>\n\n<p><strong>For Admins:<\/strong>\n* Require 2FA for specific user roles\n* Grace period for new users\n* Force immediate 2FA setup on next login\n* Lockout protection against brute force attacks\n* Reset 2FA or unlock accounts with one click\n* See 2FA status for all users at a glance<\/p>\n\n<h4>Perfect For<\/h4>\n\n<ul>\n<li>Agencies managing client sites<\/li>\n<li>WooCommerce stores handling sensitive data<\/li>\n<li>Membership sites with user accounts<\/li>\n<li>Any WordPress site that needs extra security<\/li>\n<\/ul>\n\n<h3>External services<\/h3>\n\n<p>This plugin uses a third-party service to generate QR codes during the TOTP authenticator app setup process.<\/p>\n\n<h4>QR Server API<\/h4>\n\n<p>When a user chooses the \"Authenticator App\" method during 2FA setup, the plugin generates a QR code image via the QR Server API. This QR code contains the TOTP secret URI (which includes the site name, user email, and secret key) so the user can scan it with their authenticator app.<\/p>\n\n<ul>\n<li><strong>What data is sent:<\/strong> A TOTP provisioning URI containing the site name, user email address, and a generated secret key.<\/li>\n<li><strong>When it is sent:<\/strong> Only once, when a user sets up TOTP-based two-factor authentication. No data is sent during normal login verification.<\/li>\n<li><strong>Service provider:<\/strong> goQR.me \/ QR Server<\/li>\n<li><strong>Service URL:<\/strong> <a href=\"https:\/\/goqr.me\/api\/\">https:\/\/goqr.me\/api\/<\/a><\/li>\n<li><strong>Terms of service:<\/strong> <a href=\"https:\/\/goqr.me\/api\/doc\/\">https:\/\/goqr.me\/api\/doc\/<\/a><\/li>\n<li><strong>Privacy policy:<\/strong> <a href=\"https:\/\/goqr.me\/privacy-policy\/\">https:\/\/goqr.me\/privacy-policy\/<\/a><\/li>\n<\/ul>\n\n<!--section=installation-->\n<ol>\n<li>Upload <code>flavor-2fa<\/code> to <code>\/wp-content\/plugins\/<\/code><\/li>\n<li>Activate through 'Plugins' menu<\/li>\n<li>Go to <strong>Settings \u2192 Flavor 2FA<\/strong><\/li>\n<li>Select which user roles require 2FA<\/li>\n<li>Done! Users will be prompted to set up 2FA on their next login<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"which%20authenticator%20apps%20are%20supported%3F\"><h3>Which authenticator apps are supported?<\/h3><\/dt>\n<dd><p>Any TOTP-compatible app works: Google Authenticator, Authy, 1Password, Microsoft Authenticator, LastPass Authenticator, and more.<\/p><\/dd>\n<dt id=\"what%20if%20a%20user%20loses%20their%20phone%3F\"><h3>What if a user loses their phone?<\/h3><\/dt>\n<dd><p>Users receive 10 one-time recovery codes during setup. If those are also lost, an admin can reset their 2FA from the Users page or plugin settings.<\/p><\/dd>\n<dt id=\"can%20i%20require%202fa%20only%20for%20administrators%3F\"><h3>Can I require 2FA only for administrators?<\/h3><\/dt>\n<dd><p>Yes! You can choose exactly which user roles must enable 2FA. Common setups include requiring it for Administrators and Editors while leaving it optional for Subscribers.<\/p><\/dd>\n<dt id=\"is%20there%20a%20grace%20period%20for%20new%20users%3F\"><h3>Is there a grace period for new users?<\/h3><\/dt>\n<dd><p>Yes, configurable from 0-365 days. New users won't be forced to set up 2FA until the grace period expires.<\/p><\/dd>\n<dt id=\"what%20happens%20when%202fa%20is%20deactivated%3F\"><h3>What happens when 2FA is deactivated?<\/h3><\/dt>\n<dd><p>All plugin data is automatically cleaned up, including user secrets and recovery codes. Nothing is left behind.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release<\/li>\n<\/ul>","raw_excerpt":"Lightweight two-factor authentication that just works. Protect your WordPress site with authenticator apps or email codes in under 2 minutes.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/bal.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/279007","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bal.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/bal.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/bal.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=279007"}],"author":[{"embeddable":true,"href":"https:\/\/bal.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/kuckovic"}],"wp:attachment":[{"href":"https:\/\/bal.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=279007"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/bal.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=279007"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/bal.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=279007"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/bal.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=279007"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/bal.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=279007"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/bal.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=279007"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}