Two factor authentication plugin – FAQs

Two Factor Authentication

What are the shortcodes available in the two factor authentication plugin?

The following short-codes are available:

twofactor_user_settings : This short-code will display the whole user configuration. Use this to allow your users to get/set their TFA settings. Alternatively, to design the page yourself, you can use the individual short-codes, following:

twofactor_user_settings_enabled : Display the option to turn TFA on or off.

twofactor_user_qrcode : Display the user’s QR code for scanning.

twofactor_user_emergencycodes : Display the user’s emergency codes.

twofactor_user_advancedsettings : Display the user’s advanced settings (e.g. selecting TOTP or HOTP).

twofactor_user_privatekeys : Display the user’s private keys. Use the ‘type’ parameter, with values ‘full’ (default), ‘plain’, ‘base32’ or ‘base64’ to control exactly what is displayed.

twofactor_user_privatekeys_reset : Display a link for the user to reset (change) their private key.

twofactor_user_currentcode : Display the current TFA code.

twofactor_user_presstorefresh : Wrap this shortcode around any HTML that you want to cause the current TFA code (displayed by the twofactor_user_currentcode shortcode) to refresh when clicked. i.e. Use both an opening and closing shortcode tag; and whatever you put inside will cause an update if the user clicks on it. Example:

Example short-code usage

twofactor_conditional : Wrap this shortcode around any content that you wish to be displayed only if the condition is met. The condition is specified by the “onlyif” parameter, with valid values: activate, inactive, available, unavailable. The content will be shown depending on whether the user has TFA available (i.e. the administrator has allowed it for their user level)/activated. You can use this, for example, to display notices to your users to suggest that they activate TFA, or to remind them that it is available, etc.

Here are a couple of screenshots of examples of using these shortcodes. In the first, the site owner is using the WordPress page editor to design his own TFA-setup page for users, using short-codes:

Designing your own page for users, using short-codes

In the second is an example of the twofactor_conditional shortcode (make sure that you do not have anything cacheing a page it is used on):

Conditional shortcode example

What is two factor authentication?

Basically, it’s to do with securing your logins, so that there’s more than one link in the chain needing to be broken before an unwanted intruder can get in your website.

By default, your WordPress accounts are protected by only one thing: your password. If that’s broken, then everything’s wide open.

“Two factor” means adding a second requirement. Usually, this is a code that comes to a device you own (e.g. phone, tablet) – so, someone can’t get into your website without getting hold of your device. You can get a longer answer from Wikipedia.

Sometimes it is also called multi-factor authentication instead of two-factor – because someone could secure their systems with as many factors as they like.

How does two factor authentication work?

Since “two factor authentication” just means “a second something is necessary to get in”, this answer depends upon the particular set-up. In the most common case, a numeric code is shown on your phone, tablet or other device. This code be sent via an SMS; this then depends on the mobile phone network working. This plugin does not uses that method. Instead, it uses a standard mathematical algorithm to generate codes that are only valid once each, or for only for 30 seconds (depending on which algorithm you choose). Your phone or tablet can know the code after it has been set up once (often, by just scanning a bar-code off the screen).

What do I need to set up on my phone/tablet (etc.) in order to generate the codes?

This depends on your particular make of phone, and your preferences. Google have produced a popular app called “Google Authenticator”, which is a preferred option for many people because it is easy to use and can be set up via just scanning a bar code off your screen – follow this link, and ignore the first paragraph that is talking about 2FA on your Google account (rather than being relevant to this plugin).

What if I do not have a phone or tablet?

Many and various devices and programs can generate the codes. One option is an add-on for your web browser; for example, here are some apps and add-ons for Google Chrome. Wikipedia lists various programs for different computers.

I lost my device that has pass-codes – or, they don’t work. What to do?

If your pass-code used to work, but no longer does, then check that the time on your device that generates them is accurate.

If you cannot get in and need to disable two-factor authentication, then add this to your wp-config.php file, using FTP or the file manager in your hosting control panel:

define(‘TWO_FACTOR_DISABLE’, true);

Add it next to where any other line beginning with “define” is.

Alternatively, if you have FTP or cPanel access to your web hosting space, you can de-activate the plugin; see this article: https://updraftplus.com/understanding-wordpress-installs-plugins/

What are HOTP and TOTP?

These are the names of the two mathematical algorithms that are used to create the special codes. These are industry-standard algorithms, devised by expert cryptographers. HOTP is less popular, but the device that generates the codes does not need to know the correct time (instead, the codes are generated in a precise sequence). TOTP is much more popular, and generates codes that are only valid for 30 seconds (and so your device needs to know the time). I’d recommend TOTP, as HOTP can be annoying if something causes the sequences to get out of sync.

How can I trigger an action when the user saves their TFA settings on the front-end?

For this, you need version 1.2.35 or later of the plugin.

When settings are successfully saved, the plugin triggers a jQuery event upon the document:

jQuery(document).trigger('tfa_settings_saved', resp);

So, you just need to add some JavaScript to your site (e.g. using one of the popular plugins for doing this, or using your own hand-coding) to hook that event.

For example, to reload the page after the settings are saved:

jQuery(document).on('tfa_settings_saved', function() {
location.reload(true);
});