Two-Factor Authentication Detection

OneTap Login automatically detects when users have two-factor authentication (2FA) enabled and seamlessly redirects them to complete the additional verification step.

Overview

Why 2FA Detection?

Google sign-in is secure, but some organizations require additional verification:

• Compliance requirements (SOC 2, HIPAA)
• Defense in depth strategy
• Policy enforcement
• High-value account protection

How It Works

User completes Google sign-in
        ↓
OneTap checks for 2FA on account
        ↓
    2FA enabled → Redirect to 2FA prompt
                  User completes 2FA
                  Login complete
        ↓
    No 2FA → Login complete immediately

Supported 2FA Plugins

OneTap Login detects these 6 major 2FA plugins:

1. Two Factor (WordPress.org)

Plugin: Two Factor

Detection Method:

if (class_exists('Two_Factor_Core')) {
    $is_enabled = Two_Factor_Core::is_user_using_two_factor($user_id);
}

Supported Methods:

• TOTP (Google Authenticator, Authy)
• FIDO U2F (YubiKey)
• Email codes
• Backup codes

---

2. Wordfence Two-Factor

Plugin: Wordfence Security

Detection Method:

if (class_exists('wfTwoFactorAuth')) {
    $is_enabled = wfTwoFactorAuth::hasUser2FA($user_id);
}

Supported Methods:

• TOTP authenticator apps
• Wordfence Login Security

---

3. WP 2FA

Plugin: WP 2FA

Detection Method:

if (class_exists('WP2FA\\WP2FA')) {
    $is_enabled = WP2FA\User::is_user_using_two_factor($user_id);
}

Supported Methods:

• TOTP apps
• Email OTP
• Backup codes
• Push notifications (premium)

---

4. iThemes Security / Solid Security

Plugin: Solid Security

Detection Method:

if (class_exists('ITSEC_Two_Factor')) {
    $is_enabled = ITSEC_Two_Factor::is_user_using_two_factor($user_id);
}

Supported Methods:

• TOTP apps
• Email codes
• Backup codes

---

5. Google Authenticator

Plugin: Google Authenticator

Detection Method:

if (class_exists('GoogleAuthenticator')) {
    $secret = get_user_meta($user_id, 'googleauthenticator_secret', true);
    $is_enabled = !empty($secret);
}

Supported Methods:

• TOTP only (Google Authenticator app)

---

6. miniOrange 2FA

Plugin: miniOrange Two Factor Authentication

Detection Method:

if (class_exists('Miniorange_Authentication')) {
    $is_enabled = MO2f_Utility::check_if_2fa_enabled_for_user($user_id);
}

Supported Methods:

• TOTP apps
• Push notification
• SMS OTP
• Email OTP
• Security questions
• Hardware tokens

Detection Flow

Complete Flow Diagram

Google OAuth callback received
        ↓
JWT token validated
        ↓
WordPress user identified
        ↓
Check Two Factor plugin
├── Found and enabled? → Mark for 2FA
├── Not found → Continue
        ↓
Check Wordfence 2FA
├── Found and enabled? → Mark for 2FA
├── Not found → Continue
        ↓
Check WP 2FA
├── Found and enabled? → Mark for 2FA
├── Not found → Continue
        ↓
Check iThemes Security 2FA
├── Found and enabled? → Mark for 2FA
├── Not found → Continue
        ↓
Check Google Authenticator
├── Found and enabled? → Mark for 2FA
├── Not found → Continue
        ↓
Check miniOrange 2FA
├── Found and enabled? → Mark for 2FA
├── Not found → Continue
        ↓
2FA marked?
├── Yes → Redirect to 2FA plugin's prompt
└── No → Complete login, redirect to destination

Detection Code

/**
 * Check if user has 2FA enabled
 */
function onetap_user_has_2fa($user_id) {
    // Two Factor plugin
    if (class_exists('Two_Factor_Core')) {
        if (Two_Factor_Core::is_user_using_two_factor($user_id)) {
            return ['plugin' => 'two-factor', 'enabled' => true];
        }
    }

    // Wordfence
    if (class_exists('wfTwoFactorAuth')) {
        if (wfTwoFactorAuth::hasUser2FA($user_id)) {
            return ['plugin' => 'wordfence', 'enabled' => true];
        }
    }

    // WP 2FA
    if (class_exists('WP2FA\\WP2FA')) {
        if (WP2FA\User::is_user_using_two_factor($user_id)) {
            return ['plugin' => 'wp-2fa', 'enabled' => true];
        }
    }

    // Continue for other plugins...

    return ['plugin' => null, 'enabled' => false];
}

User Experience

With 2FA Enabled

Step 1: Click Google sign-in
┌────────────────────────────────────────┐
│  [G Continue with Google]              │
└────────────────────────────────────────┘

Step 2: Google authentication
┌────────────────────────────────────────┐
│  Choose your Google account            │
│  john@gmail.com                        │
└────────────────────────────────────────┘

Step 3: 2FA prompt
┌────────────────────────────────────────┐
│  Two-Factor Authentication             │
│                                        │
│  Enter your authentication code:       │
│  [______]                              │
│                                        │
│  [  Verify  ]                          │
└────────────────────────────────────────┘

Step 4: Login complete
┌────────────────────────────────────────┐
│  ✓ Welcome back, John!                 │
│  Redirecting to your account...        │
└────────────────────────────────────────┘

Without 2FA

Step 1: Click Google sign-in
Step 2: Google authentication
Step 3: Login complete (no 2FA prompt)

Configuration

No Configuration Required

2FA detection is automatic:

• No settings needed
• No manual integration
• Works out of the box

OneTap automatically detects supported plugins.

Enabling 2FA for Users

This is done in the 2FA plugin itself:

1. Install a supported 2FA plugin
2. Configure 2FA requirements
3. Users enable 2FA in their profile
4. OneTap detects automatically

Security Considerations

Defense in Depth

Google sign-in provides:

• Google's password protection
• Google's own 2FA (if enabled)
• Google's suspicious activity detection

Site 2FA adds:

• Site-specific additional layer
• Different verification method
• Compliance with site policies

When 2FA is Recommended

Scenario	2FA Recommended
E-commerce site	Optional
Admin accounts	Yes
Membership site	Depends on content
Financial data	Yes
Healthcare (HIPAA)	Yes
Compliance-required	Yes

Role-Based 2FA

Many 2FA plugins support role-based enforcement:

Administrator → 2FA Required
Editor        → 2FA Required
Shop Manager  → 2FA Required
Customer      → 2FA Optional
Subscriber    → 2FA Optional

OneTap respects these policies.

Hooks for Developers

Filter 2FA Detection

add_filter('onetap_user_requires_2fa', function($requires, $user_id) {
    // Custom 2FA check
    if (my_custom_2fa_check($user_id)) {
        return true;
    }

    // Force 2FA for admins
    if (user_can($user_id, 'manage_options')) {
        return true;
    }

    return $requires;
}, 10, 2);

Before 2FA Redirect

add_action('onetap_before_2fa_redirect', function($user_id, $plugin_name) {
    // Log 2FA requirement
    error_log("User {$user_id} redirected to 2FA ({$plugin_name})");

    // Custom tracking
    do_action('track_2fa_prompt', $user_id);
}, 10, 2);

Custom 2FA Plugin Support

add_filter('onetap_2fa_plugins', function($plugins) {
    // Add custom 2FA plugin
    $plugins['my-2fa-plugin'] = [
        'class' => 'My_2FA_Plugin',
        'check' => function($user_id) {
            return My_2FA_Plugin::is_enabled($user_id);
        }
    ];
    return $plugins;
});

After 2FA Completed

Note: This depends on the 2FA plugin's hooks:

// Example for Two Factor plugin
add_action('two_factor_user_authenticated', function($user) {
    // 2FA completed after Google sign-in
    if (get_user_meta($user->ID, '_onetap_pending_2fa', true)) {
        delete_user_meta($user->ID, '_onetap_pending_2fa');
        // Custom action after Google + 2FA
    }
});

Troubleshooting

2FA Prompt Not Appearing

Causes:

1. 2FA not enabled for user
2. Plugin not detected
3. Plugin updated and broke compatibility

Solutions:

1. Verify 2FA is set up in user profile
2. Check if plugin is active
3. Update OneTap Login
4. Contact support

Stuck in 2FA Loop

Causes:

1. 2FA plugin misconfigured
2. Session issue
3. Redirect conflict

Solutions:

1. Check 2FA plugin settings
2. Clear browser cookies
3. Disable custom redirects temporarily

Wrong 2FA Plugin Triggered

Causes:

1. Multiple 2FA plugins active
2. Detection order issue

Solutions:

1. Use only one 2FA plugin
2. Deactivate unused 2FA plugins

2FA Skipped Unexpectedly

Causes:

1. User 2FA not configured
2. Detection failed
3. Plugin conflict

Solutions:

1. Verify in 2FA plugin that user has 2FA enabled
2. Test with a different user
3. Check for JavaScript errors

Best Practices

Do's

• Use a single 2FA plugin
• Require 2FA for admin roles
• Test the full flow
• Provide backup codes to users
• Keep 2FA plugin updated

Don'ts

• Run multiple 2FA plugins simultaneously
• Disable 2FA for high-privilege roles
• Skip testing after updates
• Ignore users locked out of 2FA

Comparison: Google 2FA vs Site 2FA

Aspect	Google 2FA	Site 2FA
Scope	Google account	Your site only
Control	User controlled	Site controlled
Methods	Google's options	Plugin's options
Enforcement	Optional	Can be required
Recovery	Via Google	Via site admin

Recommendation

For maximum security:

• Users enable Google 2FA on their Google account
• Site enables 2FA for admin/editor roles
• Both layers protect access

Next Steps

• 2FA Plugins Integration - Detailed plugin guide
• Security Overview - All security measures
• Role Security - Role-based policies