WordPress
Use TOTP token with display
Is your enhancement related to a problem? Please describe.
Hello, I would like to use 2FA with a hardware TOTP token. Is there a way to enter a predefined seed instead of having one generated?
Greetings Chris
Proposed Solution
No response
Designs
No response
Describe alternatives you've considered
No response
Please confirm that you have searched existing issues in this repository.
Yes
Is there a way to enter a predefined seed instead of having one generated?
No, That is not currently supported by the plugin.
Hardware tokens would normally use WebAuthN instead of TOTP however, such as via #427 or https://wordpress.org/plugins/two-factor-provider-webauthn/
(Edit: Just noting, Hardware keys which provide a TOTP seed do exist, and supporting it would technically be feasible, I'm unsure if the plugin would wish to support that however.)
It seems that no other service provider currently allows you to specify the secret.
Technically, this would require some JS work to allow a user override for the generated secret that gets sent during the setup:
https://github.com/WordPress/two-factor/blob/6a95e7ffdebb2e0408b4ccb298e9df16d5b6998c/providers/class-two-factor-totp.php#L361
and we should also ensure that it doesn't contain invalid characters per:
https://github.com/WordPress/two-factor/blob/6a95e7ffdebb2e0408b4ccb298e9df16d5b6998c/providers/class-two-factor-totp.php#L456-L471
Practically, you can currently use the browser inspector to replace the value of the hidden two-factor-totp-key field and it will store that secret instead.
I recommend we don't implement this as the built-in functionality for this plugin.
