Can the two-factor code be sent by email?

Our two-factor authentication plugin does not support sending codes by email, because this is not secure. This is because WordPress also sends password reset links by email (via the link on the login form for people who have forgotten their password). Thus, the email account would have access to both the ability to set passwords and read two-factor codes, meaning that it was not truly a second factor. This would be mitigated somewhat if the email itself was protected by two-factor authentication via another mechanism – but in this case a) users are already being expected to use something other than email, so that shouldn’t be a problem for WordPress either, and b) it is outside of the control of the administrator of the WordPress website, which would nullify the plugin’s features for handing them this control.

Email delivery is also unreliable and often unencrypted, which makes it an unsuitable communications channel to rely upon for time-dependent (two factor codes are time-limited) and security-related functions.

Posted in: Two Factor Authentication