Two-factor authentication should (imho) be in core, but core can’t always provide the best ways to accomplish it, for example, text messaging which requires external APIs.
What I see the best fit being, is this:
There is a framework for Two-Factor Authentication in core, that provides two free no-api-required methods for users to select to validate:
- Email (with a warning that it’s not as secure)
- Time-based One-time Password Algorithm (TOTP)
- This is what Google Authenticator / Authy use.
- IETF RFC6238
Beyond this, Core would offer a filter to permit plugins to register other authentication methods, for example, Duo Security’s push-based request system, or Jetpack could provide a gateway for text-messages, just as they are sent from WordPress.com.
We would also need to allow a
define( 'DISABLE_TWO_FACTOR_AUTH', true ); line in
wp-config.php that would switch it off, in case a site owner lost their phone and needed to disable it temporarily. I could also see use for a customized define to only disable it for a given user. Ideally this would add a warning to the adminbar for all users that have manage_options() to notify them that it has been disabled.
Other dependencies that would need to be in core:
- Application Passwords
- For systems where the user cannot be prompted for a two-factor auth code (XMLRPC, etc), disallow their normal password for authentication, and force them to use a generated application password that is stored in usermeta.
- For systems where the user can be prompted for a two-factor auth code (wp-login.php) don’t permit the use of application passwords.
- Backup Auth Codes
- Saved in usermeta, not terribly much interesting here.