WordPress/two-factor

Stars: 652

Forks: 152

Pull Requests: 309

Issues: 276

Watchers: 47

Last Updated: 2023-09-07 21:30:08

#wordpress-plugin #totp #2fa #authentication #wordpress

Two-Factor Authentication for WordPress.

License: GNU General Public License v2.0

Languages: PHP, JavaScript, CSS

https://wordpress.org/plugins/two-factor/

Two-Factor

Two-Factor plugin for WordPress. View on WordPress.org →

Usage

See the readme.txt for installation and usage instructions.

Contribute

Please report (non-security) issues and open pull requests on GitHub. See below for information on reporting potential security/privacy vulnerabilities.

Join the #core-passwords channel on WordPress Slack (sign up here).

To use the provided development environment, you'll first need to install and launch Docker. Once it's running, the next steps are:

$ git clone https://github.com/wordpress/two-factor.git
$ cd two-factor
$ composer install
$ npm install
$ npm run build
$ npm run env start

See package.json for other available scripts you might want to use during development, like linting and testing.

When you're ready, open a pull request with the suggested changes.

Testing

Running tests in Docker

Run npm run env start
Run npm run test or npm run test:watch.

Running tests locally

Create a MySQL database for the tests. Don't reuse an existing database, because all of the data will be deleted every time the tests are run.

Add the following to your ~/.bashrc, with the values for the database you created above:

export WORDPRESS_DB_NAME=wp_tests
export WORDPRESS_DB_USER=wp_tests
export WORDPRESS_DB_PASSWORD=wp_tests

source ~/.bashrc
Run composer run test or composer run test:watch.

To view the code coverage report, you can open a web browser, go to File > Open file..., and then select {path to two-factor}/tests/logs/html/index.html.

Deployments

Deployments to WP.org plugin repository are handled automatically by the GitHub action .github/workflows/deploy.yml. All merges to the master branch are commited to the trunk directory while all Git tags are pushed as versioned releases under the tags directory.

Known Issues

PHP codebase doesn't pass the WordPress coding standard checks, see #437.

Credits

Created by contributors and released under GPLv2 or later.

Security

Please privately report any potential security issues to the WordPress HackerOne program.

OPEN ISSUES

See all

Reduce/eliminate usage of `$_REQUEST` throughout the plugin by @stevegrunwell
TOTP: Switch to an internal QR Code provider. by @georgestephanis
TOTP: Ajaxy Goodness. by @georgestephanis
Email: Also email a 'Login Link' the user can just click. by @georgestephanis
Code Preparation: HTML 5 validation by @kraftbj
Pressing "Enter" instead of clicking the "Update Profile" button fails to enable the TOTP by @kasparsd
U2F Authentication with my own server by @niravzaveri
TOTP setup warning although not enabled by @ThomasLeister
Error Notices: adapt error message to selected 2FA method by @jeherve
Allow methods priorization / selection of fallback method by @adlerweb
Add GPG provider ? by @raed667
Activating multiple methods is confusing and can fail silently by @simonwheatley
UX: Focus the confirmation code field while configuring the TOTP method by @simonwheatley
Breaks bbPress profile editing by @kasparsd
Feature: Setting to Force 2F via email for administrators by @holzhannes
Add the possibility to activate/deactive features in front page dashboard for customers by @pwallner
Better U2F error messages by @My1
Vulnerability From Other Admin Accounts by @richardkentgates
UX - Ability to de-select 2FA Methods by @mdbitz
Allow admin to disable Time Based One-Time Password on user accounts by @mdbitz
Remember device by @PeopleInside
Choose the email address where send code by @PeopleInside
Support W3C Web Authentication by @jcjones
Add wp-cli support by @gurumark
Incompatible with a content-security-policy which does not allow script-src: unsafe-inline by @ragnarkarlsson
Fido U2F table displays even when user has not selected U2F method by @mikeselander
Error Reporting from Saving methods by @mikeselander
BuddyPress User Two Factor Options by @daniel181
Add plugin settings by @kasparsd
Enforce 2FA by @kasparsd
Add release and deployment instructions by @kasparsd
Use site_url() for the FIDO U2F AppId by @onliniak
Document redirect_url input parameter for custom login forms by @kasparsd
TypeError: setting getter-only property "u2f" by @kasparsd
Enhancement: automatically generate (and activate) backup codes by @axelsimon
Conflict with All-in-one security multisite by @AlanJIsaacson
Undefined index: hook_suffix by @kkmuffme
Link to Application Passwords by @kasparsd
Feature request - enable 2FA for all by @corelanc0d3r
Request: Retry button for U2F in case of an error by @My1
TOTP: Verification Should Remove Spaces by @alexclst
Add a workflow for reporting security issues by @kasparsd
Make the Two Factor settings portable to other settings screens by @kasparsd
Onboarding: checking both "enabled" and "primary" is confusing by @paulschreiber
Display the current server date and time when attempting to register OTP by @kasparsd
Fix Coveralls reporting by @kasparsd
Backup Codes (Improve 8 to 12 numbers) by @JohnPlanetary
Support SQRL and Threema (Suggestions) by @JohnPlanetary
Prevent other plugins from accidentally circumventing two factor authentication by @kkmuffme
Using auth_cookie filter instead of wp_login hook to start 2FA flow by @nathanrona
Renaming hardware security key doesn't work by @CompuRoot
Email notification turning & into HTML entity (&) by @nbwpuk
U2F support in the future versions of Chrome by @dziudek
Error 503 when authenticating too fast? by @etgocode
Two Factor no longer accessible in MemberPress by @cafestifflered
Deleting physical security key fails after renaming by @68kHeart
PHP doesn't pass the WordPress coding standards by @kasparsd
Clicking on "Register New Key" in Safari 15 shows endless loading in WordPress 5.9.3 by @S0ulf3re
Maybe add a filter hook for the TOTP QR code URL by @roytanck
Adding and readying security keys no longer works by @ishristov
Passwordless login | Login with emailed link by @jasperf
Add support for encrypting TOTP secrets by @jeffpaul
Add ability to re-encrypt secrets by @jeffpaul
Log or alert on failed 2FA codes by @jeffpaul
Bumping minimum WordPress and PHP versions supported by @jeffpaul
Link to vendor-agnostic page for buying a security key by @iandunn
Document code coverage report by @iandunn
Test coverage seems low by @iandunn
Notify user/admin when sensitive events occur by @iandunn
Throttle second factor attempts by @iandunn
Help folks choose which provider is right for them by @iandunn
Reauth 2nd factor to change 2FA settings by @iandunn
Encourage setting up a recovery factor by @iandunn
Clarify TOTP setup instructions by @iandunn
Assets URIs computed wrong if plugin is loaded from /vendor by @kadamwhite
Add e2e tests for critical paths by @iandunn
'Failed to create a login nonce' notification by @mikolajek
Question: How do I prevent the 2fa for work on staging sites? by @planetahuevo
Backup codes are saved before user intends by @iandunn
Warn if recovery mode available by @iandunn
FIDO U2F Security Keys not being enabled by @surao101
Make text spacing and buttons consistent between TOTP and Backup Code screens by @ironprogrammer
Tests should run against WordPress stable and WordPress trunk, and supported PHP versions by @dd32
Add error message for nonce check failures by @mboynes
Accessibility of layout table and QR image by @steverep
Repo/process updates by @jeffpaul
TOTP: After successful set up, JS should check the "Enabled" checkbox for the TOTP provider by @r-a-y
Revalidation: Prompted immediately after setting up 2FA by @dd32
Language support by @neppers3
503 Service Unavailable after inserting 2FA - works with several tries by @x2on
Last Login by @capstonedesign
OTP with Multisite may not work by @javiercasares

RELEASES

See all

Version 0.2.0 by @kasparsd
Version 0.3.0 by @kasparsd
Version 0.4.0 by @kasparsd
Version 0.4.1 by @kasparsd
Version 0.4.2 by @kasparsd
Version 0.4.3 by @kasparsd
Version 0.4.4 by @kasparsd
Version 0.4.5 by @kasparsd
Version 0.4.6 by @kasparsd
Version 0.4.7 by @kasparsd
Version 0.4.8 by @kasparsd
Version 0.5.0 by @kasparsd
Version 0.5.1 by @kasparsd
Version 0.5.2 by @kasparsd
Version 0.6.0 by @kasparsd
Version 0.7.0-rc.1 by @kasparsd
Version 0.7.0 by @kasparsd
Version 0.7.1 by @kasparsd
Version 0.7.3 by @kasparsd
Version 0.7.2 (Security Improvement) by @kasparsd
Version 0.8.2 by @iandunn
Version 0.8.1 by @iandunn
Version 0.8.0 by @kasparsd

WordPress/two-factor

octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true">Two-Factor

octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true">Usage

octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true">Contribute

octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true">Testing

octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true">Running tests in Docker

octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true">Running tests locally

octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true">Deployments

octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true">Known Issues

octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true">Credits

octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true">Security