Two-Factor Authentication

What is Two-Factor Authentication?

Two-factor authentication (2FA) adds a second layer of security to your login. After entering your password, you must also enter a time-based code from your phone. Even if an attacker knows your password, they can't log in without your phone.

ArmorPro Pro uses TOTP (Time-based One-Time Password), the same standard used by Google, Microsoft, and most major services. Codes are generated every 30 seconds and work offline.

Supported Authenticator Apps

You can use any TOTP-compatible authenticator app:

• Google Authenticator — Simple and free (iOS, Android)
• 1Password — Great if you already use it for passwords
• Authy — Supports cloud backup and multiple devices
• Microsoft Authenticator — Good for Microsoft-heavy environments
• Bitwarden — Open source password manager with TOTP

Enabling 2FA for Your Site

Step 1: Enable the Feature

1. Go to ArmorPro → 2FA
2. Toggle Enable Two-Factor Authentication to on
3. Choose which user roles should be required to use 2FA (we recommend at minimum: Administrator, Editor)

Step 2: Set Up Your Account

After enabling 2FA, each user needs to set up their account:

1. Go to Users → Profile (or each user visits their own profile)
2. Scroll to the Two-Factor Authentication section
3. Click Set Up 2FA
4. Scan the QR code with your authenticator app
5. Enter the 6-digit code from your app to verify
6. Save your backup codes in a secure location

Logging In with 2FA

Once 2FA is enabled for your account:

1. Enter your username and password as usual
2. You'll see a prompt asking for your 2FA code
3. Open your authenticator app and enter the 6-digit code
4. You're now logged in

Codes refresh every 30 seconds. If your code doesn't work, wait for the next one. Make sure your phone's clock is accurate (authenticator apps rely on precise time sync).

Backup Codes

When you set up 2FA, you'll receive a set of backup codes. These are one-time use codes for emergencies — like if you lose your phone.

Each backup code can only be used once. After using a backup code, it's permanently consumed. If you use several backup codes, generate a new set from your profile.

Managing 2FA for Users

As an administrator, you can manage 2FA for other users:

View 2FA Status

Go to ArmorPro → 2FA to see which users have 2FA enabled and which haven't set it up yet.

Reset a User's 2FA

If a user loses access to their authenticator (lost phone, etc.):

1. Go to Users → All Users
2. Edit the user's profile
3. In the 2FA section, click Reset 2FA
4. The user can now set up 2FA again with a new device

Enforce 2FA

You can require certain roles to use 2FA. Users with those roles will be prompted to set up 2FA on their next login if they haven't already.

Troubleshooting

"Invalid code" errors

• Check your phone's time: TOTP requires accurate time. Go to your phone's settings and enable automatic time sync.
• Wait for the next code: If a code is about to expire (only a few seconds left), wait for the next one.
• Make sure you're using the right account: If you have multiple sites set up, verify you're looking at the right entry in your authenticator app.

Lost phone / can't access authenticator

1. Use one of your backup codes to log in
2. Go to your profile and reset 2FA
3. Set up 2FA again with your new device

No backup codes and no phone

Contact your site administrator to reset your 2FA. If you're the only administrator, you'll need to access the database directly or use FTP to temporarily disable the plugin.

Best Practices

• Require 2FA for all administrators — Admin accounts are the highest-value targets
• Use a dedicated authenticator app — Don't rely on SMS-based 2FA (not supported and less secure)
• Store backup codes securely — Treat them like a spare key to your house
• Keep your phone secure — Use a PIN, fingerprint, or face unlock
• Set up 2FA on your authenticator app's cloud backup — Apps like Authy sync across devices