2FA
2FA Implementation
The admin can select between the following as a global setting for the whole application
Username and password or phone and OTP
Username and password
Username and password and 2FA for all users (user can change this after 2FA)
Username and password and 2FA for all users (enforced)
Â
2FA can only be set by admin if a valid API_KEY has been set from before.
Â
Once 2FA is implemented then the API_KEY value can only be altered with another valid API_KEY.
The valid API_KEY which is taken from your http://sms.to account must not be deleted on your http://sms.to account, as long as it is used in your WP – SMS OTP Login plugin and 2FA is implemented.
To be able to remove the API_KEY from your WP – SMS OTP Login plugin, 2FA must be disabled by selecting other login types.
Â
It is a good practice for the Admin to verify admin mobile phone through the profile before he implements 2FA, despite the fact that the admin can bypass 2FA login even with an unverified phone or account being blocked.
The above arrangements are necessary in order to prevent the admin account not being able to login.
If by any accident the admin account is not able to login when 2FA has been implemented, this can be fixed by directly accessing DB.
For 2FA a user must not be blocked and must have a verified phone number
Blocked : Whether the user is blocked or not, Yes/No
Verified Phone : Whether the user phone is verified or not, Yes/No
This list is the default Users WP List that shows all users. Additionally it includes two more columns, Blocked and Verified.
A Blocked user can be set by the admin by clicking 'Block' link below user or by selecting rows and using 'Block' bulk action or from the users profile.
Additionally a user may be automatically blocked and logged out if fails to verify phone a predefined number of times. Only an admin can unblock a user.
A verified phone can be set by the admin by clicking 'Verify' link below user or by selecting rows and using 'Verify' bulk action or from the users profile.
Additionally a phone can be verified by the user or the admin from the profile screen. For new registrations this can be done during registration.
Â
Â
Registration Process
Users can register despite valid or invalid or empty OTP during registration - If invalid or empty OTP then phone is not verified, user is blocked so can not login using 2FA. Admin can set the phone to verified, unblock the user in order to allow 2FA login. Blocked users can still login if login type is just with username and password.
Woo Commerce Integration : Same registration principles apply when the Woo Commerce plugin is installed and activated.
Woo Commerce my-account page.
To enable set the following :
Woo Commerce -> Accounts and Privacy -> Account Creation -> Allow customers to create an account on the "My account" page.
Phone must be verified before registering.
2. Woo Commerce checkout page.
To enable set the following :
Woo Commerce -> Accounts and Privacy -> Account Creation -> Allow customers to create an account during checkout page.
Phone must be verified before placing the order.
Â
Login Process
Users can login in one of the following ways
Username and password ΟR phone and OTP
WP Admin | Woo Commerce My-Account |
---|---|
 |  |
 |  |
Â
Username and password (traditional way)
WP Admin | Woo Commerce My-Account |
---|---|
 |  |
Username and password and 2FA for all users (user can change this after 2FA)
WP Admin | Woo Commerce My-Account |
---|---|
 |  |
 |  |
User Profile
If 2FA is not enforced (3rd option) then user can change his login setting to lower security from the profile screen
WP Admin | Woo Commerce My-Account |
---|---|
 |  |
Username and password and 2FA for all users (enforced) - user has no option to change this
To use 2FA and any OTP login option users must not be blocked, and also must have a verified phone number. Login process is defined by settings like OTP validity value, Maximum number of OTP request, Maximum number of OTP request. The admin can block and unblock the user from a list (flag for unblock/block). Temporary block exists to avoid misuse of sending - Admin unblocks a temporarily blocked user by deleting related records from OTP actions. A permanently blocked user or with an unverified phone will get the message 'Please contact support' when try to login using 2FA.
Â
Verify Process
User can verify phone during registration. Existing user can verify the phone number from the profile. The user can change the unverified phone number to another unverified number subject to that this number does not belong to another user. If it belongs to another user then it will revert back to previous one. If the user changes a verified number to another without doing verification this will revert the old verified user phone number.
WP Admin | Woo Commerce My-Account |
---|---|
 |  |
 |  |
... and in case phone is already verified....
WP Admin | Woo Commerce My-Account |
---|---|
 |  |