by WordPress

WordPress /two-factor

Two-Factor Authentication for WordPress.

444 Stars 95 Forks Last release: 26 days ago (0.7.0) GNU General Public License v2.0 638 Commits 17 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:


Banner Enable Two-Factor Authentication using time-based one-time passwords (OTP, Google Authenticator), Universal 2nd Factor (FIDO U2F, YubiKey), email and backup verification codes.

Contributors: georgestephanis, valendesigns, stevenkword, extendwings, sgrant, aaroncampbell, johnbillion, stevegrunwell, netweb, kasparsd, alihusnainarshad, passoniate
Tags: two factor, two step, authentication, login, totp, fido u2f, u2f, email, backup codes, 2fa, yubikey
Requires at least: 4.3
Tested up to: 5.5
Stable tag: trunk (master)
Requires PHP: 5.6

Build Status Coverage Status Built with Grunt


Use the "Two-Factor Options" section under "Users" → "Your Profile" to enable and configure one or multiple two-factor authentication providers for your account:

  • Email codes
  • Time Based One-Time Passwords (TOTP)
  • FIDO Universal 2nd Factor (U2F)
  • Backup Codes
  • Dummy Method (only for testing purposes)

For more history, see this post.

Actions & Filters

Here is a list of action and filter hooks provided by the plugin:

  • two_factor_providers
    filter overrides the available two-factor providers such as email and time-based one-time passwords. Array values are PHP classnames of the two-factor providers.
  • two_factor_enabled_providers_for_user
    filter overrides the list of two-factor providers enabled for a user. First argument is an array of enabled provider classnames as values, the second argument is the user ID.
  • two_factor_user_authenticated
    action which receives the logged in
    object as the first argument for determining the logged in user right after the authentication workflow.
  • two_factor_token_ttl
    filter overrides the time interval in seconds that an email token is considered after generation. Accepts the time in seconds as the first argument and the ID of the
    object being authenticated.


Two-factor options under User Profile.

Two-factor options under User Profile.

U2F Security Keys section under User Profile.

U2F Security Keys section under User Profile.

Email Code Authentication during WordPress Login.

Email Code Authentication during WordPress Login.

Get Involved

Development happens on GitHub. Join the

channel on WordPress Slack (sign up here).

Here is how to get started:

$ git clone
$ npm install

Then open a pull request with the suggested changes.


See the release history.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.