-
Notifications
You must be signed in to change notification settings - Fork 158
Home
Two-Factor Authentication is a critical security tool that has been heretofore sadly lacking from WordPress Core.
Some plugins have begun providing it, but all with different methods and an inconsistent UI.
This project is an opinionated attempt to provide a framework and some default providers that could foreseeably be merged into WordPress Core. Here are some of the points we're (tentatively) embracing.
By 'Two-Step' Two-Factor, we're claiming several design decisions:
- No changes to the initial login screen. (e.g. a third text input added)
- As we are not displaying the
Username
,Password
, andTwo-Factor Code
prompt on the same initial login form, it is displayed as two sequential steps. This has several benefits -- including letting two-factor use be a user-contextual. - Because of this, it is each user's prerogative whether to use two-factor authentication in wordpress or not.
- It also means that each user can use different two-factor authentication methods, such as being sent a code (email, txt), or generating a cryptographic code (TOTP, U2F), or some other method we've not considered yet, that can simply provide its own method.
As we are letting users require a second form of authentication that can only be performed with an interactive login prompt, we must include an Application Password system that users can utilize for non-interactive prompts, such as XML-RPC.
The Application Password system is already built out structurally and has been merged into master. It could probably use some UI love and ajaxyness for generating the passwords and maybe some documentation. User Testing is probably in order.