Feature #18032
open2FA required on every log in/log out sequence
0%
Description
I have to enter an OTP each time I log out and log back in, even on the same browser. Shouldn't I only be required to enter the OTP when the machine ID changes (using a different or upgraded browser). Shouldn't the second factor only be used when the device is unrecognized?
Updated by Raymond Hoh about 2 years ago
- Tracker changed from Bug to Feature
- Category name set to Authentication
- Status changed from New to Hold
- Assignee set to Raymond Hoh
- Target version set to Future release
Hi Raffi,
The WordPress 2FA plugin that we currently use does not support remembering a trusted device yet. See https://github.com/WordPress/two-factor/issues/230.
Once this feature is available in the plugin, we can circle back to this.
Updated by Raffi Khatchadourian 2 months ago
This looks like a dead end here reading some of the latest discussions of https://github.com/WordPress/two-factor/issues/230. There's another plug-in I found, but the trusted devices feature isn't free: https://wordpress.org/plugins/wp-2fa/. I found another one here: https://wordpress.org/plugins/two-factor-authentication/, and it has trusted devices included. What do you think?
Updated by Raymond Hoh 2 months ago
The current 2FA plugin we use is developed by the WordPress.org community, which is one of the reasons why we chose it. The community will probably implement this feature in the future, but I guess this feature is not in their immediate roadmap.
If we were to go with another 2FA solution, we would have to ensure that all current 2FA user configurations can be migrated properly to the new one and also we would have to ensure that our custom frontend implementation will work as well. I'll relay this request to the team, but I think this isn't something we can immediately do.