two-factor
two-factor copied to clipboard
WordPress
Two-Factor Authentication for WordPress.
Some things can't be tested well with PHPUnit (like #490), so it could be helpful to have some e2e tests. I don't think they need to be comprehensive, but it'd...
Some basic a11y improvements are needed: 1. The QR code image has no alt text 2. The section heading "Two-Factor Options" should be an `` 3. Please get rid of...
When a nonce check fails, the user is [quietly redirected to the site's homepage](https://github.com/WordPress/two-factor/blob/5d727214182844da9df646bae5dcdaa9f9a600e3/class-two-factor-core.php#L1069-L1072). I encountered this situation with a shared account used by a development team, which I recognize...
This is a rough sketch of a potential way to provide details on 2FA events, so that they can be logged (#459), emailed (#476), added to Stream (https://github.com/xwp/stream/issues/1386), etc. This...
This is a proof of concept and a follow-up for #427. The transformation is happening in `includes/WebAuthn/class-webauthn-key-migrator.php`. The PHP is mainly gathered together from `sjinks/wp-two-factor-provider-webauthn` and `madwizard-org/webauthn-server`. Apart from reviewing,...
I ran an Xdebug report locally and the overall coverage was `34%` before #427, and `23%` after. I'm not a coverage zealot, and don't think `100%` is a reasonable, but...
Many folks aren't familiar w/ 2FA and it's not intuitive to them, so they might struggle to pick a provider that fits their threat model. it could help to add...
Currently, clicking the `Generate verification codes` button will generate codes _and_ save them to usermeta. I think most users will only expect the codes to be saved if they click...
It's a [known issue](https://core.trac.wordpress.org/ticket/46130) that attackers can bypass security plugins by triggering [recovery mode](https://make.wordpress.org/core/2019/04/16/fatal-error-recovery-mode-in-5-2/). Core mitigates that as best it can, but it's still a possibility. There isn't a way...
I think the current instructions will confuse many folks who are new to TOTP or 2FA in general.  They assume that folks...