Two-Factor Authentication (2FA) Methods for WordPress Login

AIO Login Pro provides Two-Factor Authentication (2FA) for WordPress login security, adding an extra layer of protection beyond passwords. This system ensures that even if credentials are compromised, unauthorized access is still blocked through a second login verification step. This is a Pro feature and requires Professional plan or higher.

Why Use Two-Factor Authentication?

Passwords alone are vulnerable to brute force attacks, phishing, and credential stuffing. Enabling WordPress 2FA login security adds an additional verification step using something the user owns (email or authenticator app), significantly reducing unauthorized access risks.

Important: 2FA is strongly recommended for all admin and high-privilege accounts to protect your WordPress site from login-based attacks.

Accessing 2FA Settings

Navigates to WordPress Dashboard → AIO Login → 2FA → Authentication Methods

Important: Only one site-wide authentication method can be active at a time — either Email OTP or Authenticator App (TOTP). Enabling one automatically disables the other.

METHOD 1: Email One-Time Password (OTP)

Email OTP is a passwordless second-step verification method where users receive a 6-digit code via email during login.

Setting Up Email OTP (Admin Configuration)

• Go to AIO Login → 2FA → Authentication Methods
• Enable Email One-Time Code

Email Configuration

• Sender Name* – Display name in email (e.g. My Website)
• Sender Email* – From email address (e.g. noreply@domain.com)
• Admin Notification Email – Optional copy of all OTP emails
• Email Subject – Subject line for OTP emails
• Email Template – Customize email body

Supported Placeholders:

• {code} → 6-digit OTP code
• {site_name} → Website name
• {site_url} → Website URL
• {user_name} → User display name
• {expiry} → Code validity duration

Security Settings

• OTP Expiry
  5 / 10 / 15 / 30 minutes
• Resend Cooldown
  Default: 30 seconds
• Max OTP Attempts
  Default: 5 attempts
• Block Duration
  Default: 15 minutes

Important: After exceeding max attempts, the user is temporarily blocked from login attempts (default:15 min).

Verification Setup

Click “I’M READY” to test configuration:

• OTP is sent to admin email
• Enter 6-digit code to verify setup
• Backup codes appear after successful verification (if enabled)

Important: Backup codes must be saved immediately as they are shown only once.

Click Save Changes to activate.

Non-Admin User View (Email OTP)

For regular users:

• OTP delivery email is shown
• Optional CC email field may appear

Recommendation : For reliable and improved email delivery, we recommend installing and activating the Post SMTP plugin on your site.

METHOD 2: Authenticator App (TOTP)

Authenticator App login provides secure time-based one-time password (TOTP) authentication using apps like:

• Google Authenticator
• Microsoft Authenticator
• Authy

Setting Up Authenticator App (Admin)

• Go to AIO Login → 2FA → Authentication Methods
• Enable Authenticator App (TOTP)

Setup Flow

• Scan QR code OR manually enter secret key
• Open authenticator app on mobile
• Enter generated 6-digit code
• Click Verify

Important: Backup codes are generated after successful verification and must be stored securely.

Security Settings

• Max OTP Attempts – Default: 5
• Block Duration – Default: 15 minutes

Click Save Changes to apply.

Non-Admin User View (TOTP)

Users will:

• Scan QR code during setup
• Verify using authenticator app
• Follow same login verification flow

Note: Only one 2FA method can be active site-wide at a time (Email OTP or TOTP). Disabling a method applies instantly and affects all users across the site.

Remember Device (Trusted Login Sessions)

The Remember Device feature enables passwordless 2FA bypass for trusted devices login, allowing users to skip verification on recognized devices.

Setup

• Go to AIO Login → 2FA → Authentication Methods
• Enable Remember Device
• Set trust duration:
• Example options:
  • 7 days
  • 30 days (default)
  • 90 days
• Click Save Changes

Trusted Device Management

A Trusted Devices table displays:

• Browser / Device name
• IP Address
• Last used timestamp
• Revoke action

Important: Admins/users can revoke trusted sessions at any time.

User View (Trusted Devices)

• Users can view their own trusted devices
• Users can revoke individual devices
• Trust duration cannot be changed by users (admin-controlled)

Note: If Remember Device Flow is enabled, the device is trusted after the first successful login, and future logins from the same device will bypass 2FA until the admin/ users revoke the sessions..

Need Help?

If you face any issues or have questions, feel free to contact our support team. We’re here to help you get the most out of AIO Login.