Two-Factor Authentication (Authenticator App)

Add an extra layer of security to your store with Authenticator App 2FA. Customers and staff can scan a QR code in Google Authenticator, Authy, Microsoft Authenticator, 1Password, or any TOTP-compatible app, and from then on every login asks for a 6-digit time-based code in addition to their password.

What it does ?

• Authenticator-App based 2FA — no SMS, no email OTPs, no third-party service. Setup is one-time and works with any RFC-6238 TOTP app.
• Fully opt-in — no one is ever forced to enrol or blocked from logging in. The “Set up 2FA” card simply appears on the account page for users the policy applies to; they choose whether to enable it.
• Role-based visibility — show the 2FA option to All users, Only users with selected roles, or All users EXCEPT selected roles. Useful when you want to offer 2FA to staff but keep the option hidden from regular shoppers.
• “Remember this device” trust cookie — after a successful 2FA verification, the same browser/device is remembered for 1, 3, 7, 14, or 30 days (admin-configurable). The user isn’t re-prompted for a code until that period elapses or they sign in from a different browser.
• Frontend prompt for customers — the 2FA verification step renders inside your store theme on /my-account/, not on wp-login.php. Admins get the standard wp-login.php prompt.
• Backup codes — 10 one-time-use recovery codes generated at enrolment, in case the user loses their phone.

How to enable it ?

• Go to WooCommerce → Email Verification → Settings → Two-Factor Authentication.
• Toggle Enable Authenticator App 2FA on.
• Choose Show 2FA option to:

  • All users — the setup card is shown to everyone.
  • Only users with selected roles — pick the roles below (e.g. Administrator, Shop manager) — only those users see the setup card.
  • All users EXCEPT selected roles — useful to hide 2FA from “Customer” while keeping it for staff.
• Pick Remember this device for — how long a verified browser stays trusted (7 days is the recommended default).
• Click Save at the top of the section.

How a user enrols (first-time setup) ?

When a user the policy applies to opens My Account → Two-Factor Auth (or for admin/editor users: Users → Profile), they’ll see a “Set up 2FA” card.

• Click Set up two-factor authentication.
• A QR code appears alongside a setup key.
• Open the user’s authenticator app (Google Authenticator, Authy, Microsoft Authenticator, 1Password, etc.) and either:

  • Scan the QR code with the app’s camera, or
  • Tap “Enter a setup key” / “Add manually” in the app, then paste the setup key shown on screen.
    
• The app immediately starts showing a 6-digit code that changes every 30 seconds.
• Type the current 6-digit code into the “Enter the 6-digit code” field on the setup card and click Verify & enable.
• Important step — the page now shows 10 backup codes. The user MUST save these somewhere safe (password manager, printed copy, downloaded text file) before closing the page. These are the only way back into the account if the authenticator app is lost.

From the next login onward, the user will be asked for a 6-digit code from their authenticator app after entering their password.

How to use backup codes ?

Backup codes are 10 one-time-use codes (each 10 characters long, formatted like a1b2c-3d4e5) issued at enrolment. They exist so a user isn’t locked out if they lose access to their authenticator app.

When to use a backup code ?

• Lost your phone
• Reinstalled your authenticator app and lost the entries
• Got a new device and forgot to migrate
• Authenticator app’s clock is out of sync (rare, but possible)

How to enter a backup code at login ?

• At the 2FA prompt during login, type one of your unused backup codes into the same “Enter the 6-digit code” field instead of a TOTP code.
• Click Verify.

The plugin auto-detects whether the input is a 6-digit TOTP code or a 10-character backup code and handles each correctly — there’s no separate “use backup code” link to click.

Important rules for backup codes

• Each code can be used only once. After it’s used, it’s permanently consumed and can’t be reused.
• The plugin tracks how many backup codes you have left. When you’re running low (say 2-3 codes remaining), you should regenerate.
• Backup codes are stored as hashes, not in plaintext — neither the store admin nor a database leak can read them after enrolment. That’s also why you must save them at the moment they’re issued; if you lose them, they can’t be recovered, only regenerated.

How to regenerate backup codes ?

If the user has used most of them, or thinks the printed copy is no longer safe:

• Go to My Account → Edit Account (or Users → Profile for staff).
• On the 2FA card, click Regenerate backup codes.
• The previous codes are invalidated immediately and a new set of 10 is issued.
• Save the new set somewhere safe.

What if a user loses everything (phone AND backup codes)?

The store admin can reset 2FA for that user:

• Go to Users → All Users, find the user, click Edit.
• Scroll to the 2FA section and click Reset 2FA for this user.
• Confirm in the dialog. The user’s 2FA enrolment is wiped — they can log in normally with just their password, then re-enrol if desired.

This action is admin-only and logged in the Analytics dashboard as a 2fa_disabled event.

Settings reference