Get Started
  • Pro Security

Two-Factor Authentication Setup

🟡 Intermediate
⏱️ 15 min read
📦 Pro Only
🗓️ December 15, 2025

📌 What You’ll Learn

  • How to enable two-factor authentication
  • How to configure email-based 2FA
  • How to manage user enrollment
  • How to handle 2FA for different roles
  • Best practices for 2FA implementation

✅ Before You Begin

  • Attributes User Access Pro installed
  • Valid Pro license activated
  • Working email configuration (SMTP recommended)
  • Access to Security settings

What is Two-Factor Authentication?

2FA adds an extra security layer by requiring:

  1. Something you know: Your password
  2. Something you have: Verification code
📘 Why Use 2FA?

  • Prevents account takeover
  • Meets compliance requirements
  • Protects against brute force
  • Increases user confidence

Enabling Two-Factor Authentication

Step 1: Access Security Settings

  1. Navigate to User Access → Security
  2. Click “Two-Factor Authentication” tab

Step 2: Configure Global Settings

Enable 2FA

  • Toggle “Enable 2FA” to ON

Enforcement Policy

  • Optional: Users choose to enable
  • Required for Admins: Admins must use 2FA
  • Required for All: Every user needs 2FA
  • Role-Based: Specific roles only
💡 Best Practice: Start with “Optional” then gradually enforce.

Code Settings

  • Code Length: 6 digits (recommended)
  • Code Validity: 10 minutes
  • Resend Limit: 3 attempts per session

Step 3: Configure Email Settings

  1. Go to User Access → Email Settings
  2. Configure SMTP (essential for reliability)
  3. Test email delivery
  4. Verify 2FA emails aren’t spam-filtered
⚠️ Critical: Without reliable email, 2FA will lock users out. Always use SMTP.

Step 4: Role-Based Requirements

Role Recommendation Reason
Administrator Required Full site access
Editor Required Can publish content
Author Recommended Can publish own posts
Subscriber Optional Read-only access

User Enrollment Process

For Users (Self-Enrollment)

  1. Go to Profile → Security Settings
  2. Click “Enable Two-Factor Authentication”
  3. Verify email address
  4. Save backup recovery codes
  5. Complete enrollment

For Administrators

  1. Go to Users → All Users
  2. Edit user profile
  3. Find “Security Settings”
  4. Enable/disable 2FA
  5. Reset if user locked out

Testing 2FA

Test Checklist

  • ✅ Successful login with correct code
  • ✅ Error handling for wrong code
  • ✅ Code expiration works
  • ✅ Code resend functions
  • ✅ Email delivery is prompt
  • ✅ Mobile view works properly
  • ✅ Recovery codes function
  • ✅ Account lockout after max attempts

User Login Flow with 2FA

  1. User enters username/password
  2. Credentials validated
  3. 2FA triggered → code sent to email
  4. User enters 6-digit code
  5. Code validated
  6. Access granted → redirect to dashboard

Email Template Customization

  1. Go to User Access → Email Templates
  2. Find “Two-Factor Authentication Code”
  3. Customize subject and body
  4. Use placeholders: {code}, {user_name}, {expiry_time}
  5. Preview and test
  6. Save changes

Recovery Options

Recovery Codes

  • 10 single-use codes generated
  • Each bypasses 2FA once
  • Stored encrypted
  • Can regenerate anytime

Administrator Reset

  1. Go to Users → All Users
  2. Edit locked-out user
  3. Find “Two-Factor Authentication”
  4. Click “Reset 2FA”
  5. User can log in without 2FA
  6. Must re-enroll
⚠️ Security: Always verify user identity before resetting 2FA.

Troubleshooting

Issue: Codes not arriving

Solution:

  • Check spam/junk folders
  • Verify email address is correct
  • Test SMTP configuration
  • Check email server logs
  • Whitelist sender address

Issue: “Code expired” immediately

Solution:

  • Check server time settings
  • Verify WordPress timezone
  • Check for server time drift
  • Increase code validity period

Issue: User locked out without recovery codes

Solution:

  • Admin resets 2FA from user profile
  • Or use database access to disable
  • Or temporarily disable 2FA plugin-wide

Best Practices

Security Best Practices

  • Start with admins first
  • Educate users on 2FA usage
  • Monitor enrollment rates
  • Regular security audits
  • Test periodically

User Experience Best Practices

  • Gradual rollout timeline
  • Clear communication
  • Provide support resources
  • Allow trusted devices (Pro feature)
  • Offer multiple methods when possible

Advanced Configuration

Developers can customize using hooks:

// Modify 2FA requirement
add_filter('attrua_require_2fa', function($required, $user) {
    if (get_user_meta($user->ID, 'high_security', true)) {
        return true;
    }
    return $required;
}, 10, 2);

// Customize code expiration
add_filter('attrua_2fa_code_expiry', function($expiry, $user) {
    if (in_array('administrator', $user->roles)) {
        return 15 * MINUTE_IN_SECONDS;
    }
    return $expiry;
}, 10, 2);

📚 Related Articles

  • Password Policies Configuration
  • Audit Logging and Monitoring
  • Email Template Customization
  • Troubleshooting 2FA Issues

Need Help?

Review My Order

0

Subtotal

Taxes & shipping calculated at checkout

Checkout