WordPress
OTP with Multisite may not work
Is your enhancement related to a problem? Please describe.
In some cases, the OPT option won't work with WordPress Multisite.
OTP usually uses the hostname to create the value, and WP Multisite allows having multiple hostname (subdomains or full different domains) and, if you create the access in one site, it doesn't work with the other.
As creating a different QR/config for each site is not a reallity, maybe the opton to disable the OTP option when Multisite may be the option.
This also may not work with FIDO.
Email, for example, works fine.
Proposed Solution
When Multisite (or always) having the option for admins to allow / disallow some 2FA options.
In the case is a Multisite, explain the possibility that OTP/FIDO may not work.
Designs
No response
Describe alternatives you've considered
No response
Please confirm that you have searched existing issues in this repository.
Yes
OTP usually uses the hostname to create the value
Assuming you're referring to TOTP here, the hostname is included in the description, but is not used within the validation flow for it. The Key is per-user, but not per-hostname.
It should be only FIDO U2F which locks the secret to a hostname but that is being removed soon due to #423.
The TOTP secret is stored in user meta:
https://github.com/WordPress/two-factor/blob/88b503c0b3a8cede20a4dab24744917e49fbdb76/providers/class-two-factor-totp.php#L431-L433
which is a global table shared across all sites on the network. I'm personally using the same TOTP key on all my sites of a multisite.
