Two-Factor Authentication Plugins
OneTap Login detects 6 major two-factor authentication (2FA) plugins and gracefully handles scenarios where additional verification is required after Google sign-in.
Why 2FA Detection Matters
The Challenge
When 2FA is required:
- User signs in with Google ✅
- Account authenticated ✅
- 2FA prompt needed ❓
- How to handle?
OneTap's Approach
Google sign-in successful
↓
Check if user has 2FA enabled
↓
Yes → Redirect to 2FA prompt
↓
No → Login complete
Supported 2FA Plugins
OneTap Login detects these 6 two-factor authentication plugins:
1. Two Factor (WordPress.org Official)
Plugin: Two Factor
Detection: Two_Factor_Core class
Methods Supported:
- TOTP (Time-based OTP apps)
- FIDO U2F Security Keys
- Email codes
- Backup codes
Integration:
// OneTap checks for:
if (class_exists('Two_Factor_Core')) {
$is_enabled = Two_Factor_Core::is_user_using_two_factor($user_id);
}
Behavior: Redirects to 2FA prompt after Google auth.
2. Wordfence Two-Factor Authentication
Plugin: Wordfence Security
Detection: wordfence_ls functions or wfTwoFactorAuth class
Methods Supported:
- TOTP authenticator apps
- Phone sign-in (Wordfence Login Security)
Integration:
// OneTap checks for:
if (class_exists('wfTwoFactorAuth')) {
$is_enabled = wfTwoFactorAuth::hasUser2FA($user_id);
}
Note: Part of Wordfence Security suite.
3. WP 2FA
Plugin: WP 2FA
Detection: WP2FA class
Methods Supported:
- TOTP apps (Google Authenticator, Authy, etc.)
- Email OTP
- Backup codes
- Push notifications (premium)
Integration:
// OneTap checks for:
if (class_exists('WP2FA\\WP2FA')) {
$settings = WP2FA\WP2FA::get_2fa_settings($user_id);
$is_enabled = !empty($settings['enabled_methods']);
}
4. iThemes Security (Solid Security)
Plugin: Solid Security (formerly iThemes Security)
Detection: ITSEC_Two_Factor class
Methods Supported:
- TOTP apps
- Email codes
- Backup codes
Integration:
// OneTap checks for:
if (class_exists('ITSEC_Two_Factor')) {
$is_enabled = ITSEC_Two_Factor::is_user_using_two_factor($user_id);
}
5. Google Authenticator
Plugin: Google Authenticator
Detection: GoogleAuthenticator class
Methods Supported:
- TOTP only (Google Authenticator app)
Integration:
// OneTap checks for:
if (class_exists('GoogleAuthenticator')) {
$secret = get_user_meta($user_id, 'googleauthenticator_secret', true);
$is_enabled = !empty($secret);
}
6. miniOrange 2FA
Plugin: miniOrange Two Factor Authentication
Detection: Miniorange_Authentication class
Methods Supported:
- TOTP apps
- Push notification
- SMS OTP
- Email OTP
- Security questions
- Hardware tokens
Integration:
// OneTap checks for:
if (class_exists('Miniorange_Authentication')) {
$is_enabled = MO2f_Utility::check_if_2fa_enabled_for_user($user_id);
}
How Detection Works
Check Order
1. User authenticated via Google
2. Get WordPress user object
3. Loop through 2FA plugin detectors:
a. Two Factor plugin
b. Wordfence 2FA
c. WP 2FA
d. iThemes Security
e. Google Authenticator
f. miniOrange 2FA
4. If any returns "2FA enabled":
→ Set flag for 2FA redirect
5. If none enabled:
→ Complete login
Detection Code
// Simplified detection logic
function user_has_2fa($user_id) {
// Two Factor plugin
if (class_exists('Two_Factor_Core')) {
if (Two_Factor_Core::is_user_using_two_factor($user_id)) {
return true;
}
}
// Wordfence
if (class_exists('wfTwoFactorAuth')) {
if (wfTwoFactorAuth::hasUser2FA($user_id)) {
return true;
}
}
// ... more checks
return false;
}
User Flow
Without 2FA
User clicks Google sign-in
↓
Google authentication
↓
WordPress user logged in
↓
Redirect to destination
With 2FA
User clicks Google sign-in
↓
Google authentication
↓
2FA plugin detected
↓
Redirect to 2FA prompt
↓
User enters code
↓
WordPress user logged in
↓
Redirect to destination
Visual Flow
┌────────────────────────────────────────┐
│ [G Continue with Google] │
└────────────────────────────────────────┘
↓
┌────────────────────────────────────────┐
│ Google Account Selection │
│ Choose account... │
└────────────────────────────────────────┘
↓
┌────────────────────────────────────────┐
│ Two-Factor Authentication │
│ │
│ Enter your 6-digit code from │
│ your authenticator app: │
│ │
│ [______] │
│ │
│ [ Verify ] │
└────────────────────────────────────────┘
↓
┌────────────────────────────────────────┐
│ ✓ Login successful │
│ Redirecting to dashboard... │
└────────────────────────────────────────┘
Configuration
No Configuration Required
2FA detection is automatic:
- No settings to enable
- No configuration needed
- Works out of the box
Plugin Priority
If multiple 2FA plugins active:
- First detected plugin handles 2FA
- Not recommended to run multiple
- May cause conflicts
Security Considerations
Why Support 2FA?
- Defense in depth: Even if Google compromised, 2FA protects
- Compliance: Some regulations require 2FA
- User choice: Let security-conscious users add protection
- Role-based: Admins may require 2FA
Google Sign-In Security
Google already provides:
- Password authentication
- Google's own 2FA
- Suspicious activity detection
OneTap's 2FA support adds:
- Site-specific additional verification
- Different 2FA method choice
- Compliance with site policies
Role-Based 2FA
Requiring 2FA for Roles
Many 2FA plugins allow role-based requirements:
| Role | 2FA Required |
|---|---|
| Administrator | Yes |
| Editor | Yes |
| Shop Manager | Yes |
| Customer | Optional |
| Subscriber | Optional |
OneTap Behavior
Admin signs in with Google
↓
Google auth successful
↓
2FA required for admin role
↓
Redirect to 2FA prompt
Hooks for Developers
Filter 2FA Detection
add_filter('onetap_user_requires_2fa', function($requires, $user_id) {
// Custom logic
if (user_can($user_id, 'manage_options')) {
return true; // Always require for admins
}
return $requires;
}, 10, 2);
After 2FA Redirect
add_action('onetap_before_2fa_redirect', function($user_id, $plugin_name) {
// Log 2FA prompt
error_log("User {$user_id} sent to 2FA ({$plugin_name})");
}, 10, 2);
Custom 2FA Plugin Support
add_filter('onetap_user_has_2fa', function($has_2fa, $user_id) {
// Check custom 2FA plugin
if (my_custom_2fa_is_enabled($user_id)) {
return true;
}
return $has_2fa;
}, 10, 2);
Troubleshooting
2FA Prompt Not Appearing
Causes:
- 2FA not actually enabled for user
- Plugin not detected
- User excluded from 2FA
Solutions:
- Verify 2FA setup in plugin settings
- Check plugin is active
- Review 2FA plugin role settings
Redirect Loop After 2FA
Causes:
- 2FA plugin misconfigured
- Redirect URL conflict
- Session issue
Solutions:
- Check 2FA plugin settings
- Clear custom redirect settings
- Clear cookies and retry
Google Auth Bypasses 2FA
Causes:
- 2FA plugin not detected
- Detection function changed
- Plugin update broke compatibility
Solutions:
- Verify plugin version supported
- Contact support for update
- Use filter hook temporarily
Wrong 2FA Plugin Triggered
Causes:
- Multiple 2FA plugins active
- Detection order issue
- Plugin conflict
Solutions:
- Use only one 2FA plugin
- Deactivate unused plugins
- Check detection priority
Best Practices
Do's
- Use a supported 2FA plugin
- Enable 2FA for admin roles
- Test login flow after setup
- Keep 2FA plugin updated
- Have backup codes available
Don'ts
- Don't run multiple 2FA plugins
- Don't disable 2FA for admins
- Don't skip testing
- Don't lose backup codes
Setting Up 2FA
Recommended: Two Factor Plugin
- Install "Two Factor" from WordPress.org
- Go to Users > Profile
- Enable TOTP method
- Scan QR code with authenticator app
- Verify with test code
- Generate backup codes
For Administrators
Require 2FA for all admins:
- Use WP 2FA or similar
- Set policy to require for admins
- Set grace period
- Enforce 2FA setup
2FA and Google Workspace
Enterprise Users
If using Google Workspace with enforced 2FA:
- User already passed Google 2FA
- Site 2FA is additional layer
- May feel redundant but provides defense in depth
Recommendation
For Google Workspace environments:
- Consider if site 2FA is necessary
- May skip for convenience
- Or require for elevated roles only
Next Steps
- Security Overview - All security features
- Role Security - Role restrictions
- Forbidden Roles - Role configuration