Two-Factor Authentication

Overview

Two-factor authentication (2FA) adds a second verification step after your password. Even if an attacker obtains a user's password through a data breach, phishing, or brute force, they cannot log in without the time-based code from the user's authenticator app.

ArmorPro uses the TOTP (Time-Based One-Time Password) standard defined in RFC 6238. Codes are valid for 30 seconds with a tolerance of one time window in either direction to account for minor clock drift between the server and the user's device.

Enabling 2FA

To enable two-factor authentication for your site:

1. Navigate to ArmorPro → Settings
2. Find the Two-Factor Authentication toggle
3. Switch it on

Role restriction

Choose which user roles are required to use 2FA. By default, only the Administrator role is selected. You can extend this to any combination of roles: Editor, Author, Contributor, Subscriber, or any custom roles registered on your site.

Users whose role is not selected can still set up 2FA voluntarily from their profile page, but they will not be forced to configure it.

Supported authenticator apps

ArmorPro's 2FA works with any TOTP-compatible authenticator app, including:

• Google Authenticator
• 1Password
• Authy
• Microsoft Authenticator
• Bitwarden

Any app that supports the TOTP standard will work. If your password manager supports TOTP codes, you can use that as well.

Setting up 2FA

Each user sets up 2FA from their own WordPress profile page:

1. Go to Users → Profile (or click your name in the admin bar)
2. Scroll to the Two-Factor Authentication section
3. Click Generate to create a new secret key
4. Scan the QR code with your authenticator app (or enter the base32 secret manually)
5. Enter the 6-digit code from your app to verify the setup
6. Save the backup codes that are displayed

Login flow with 2FA

Once 2FA is configured, the login process adds one additional step:

1. Enter your username and password as normal
2. After password verification succeeds, a 2FA screen appears
3. Open your authenticator app and enter the current 6-digit code
4. Click Verify to complete the login

If you do not have access to your authenticator app, click the Use backup code instead link to enter one of your backup codes.

Backup codes

During 2FA setup, ArmorPro generates 8 numeric backup codes. These are emergency codes for situations where you cannot access your authenticator app (lost phone, app reinstall, etc.).

• Each backup code can only be used once
• After use, the code is invalidated and cannot be reused
• You can regenerate a new set of backup codes from your profile at any time. Regenerating invalidates all previous codes.
• Store backup codes in a secure location (password manager, printed in a safe place)

2FA compliance dashboard

Administrators can monitor 2FA adoption across the site. The compliance section shows:

• Total number of users with 2FA enabled vs. not enabled
• Breakdown by role (how many administrators, editors, etc. have 2FA configured)

This makes it easy to identify users who have not yet set up 2FA, especially for roles where it is required.

Enforcement

When 2FA is required for a role but a user in that role has not set it up yet, ArmorPro redirects the user to their profile page after login with a notice to configure 2FA. The user can still access the admin, but the persistent reminder ensures compliance.

Recovering from a lost device

If a user loses access to their authenticator app and has used all backup codes:

1. Another administrator logs in to the WordPress admin
2. Navigate to Users → All Users
3. Edit the affected user's profile
4. Scroll to the Two-Factor Authentication section
5. Click Disable 2FA for that user

The user can then log in with just their password and set up 2FA again with their new device.