The process requires two steps and hence some of the users are going to like it for securing their account, while others may consider it an unnecessary step. Therefore, we can’t enable this feature for all users at once. So, the plugin provides settings for each user to enable/disable the feature for the account, as well as configuring which authentication method to use.

We started the recipe by configuring the settings for 2FA. The settings are available in the Account Management section of the backend user profile. The plugin provides four different authentication methods using Email, Time Based One-Time Password (Google Authenticator), FIDO Universal 2nd Factor, and Backup Verification Codes. Apart from these, sending an SMS is another method not supported by this plugin. In this case, we selected Email as the second authentication method. Now, 2FA is set up for the user.

Once the user logs in using the correct login credentials, the plugin will load an intermediate screen. This screen prevents the user from logging in and redirects them to the dashboard. It will also send a random numeric code to the email specified in the user account and store the value in the database. Then, the user has to copy the correct access code, enter it into the form on the login screen, and submit again. Once the code is verified, the user will be allowed to log in to the site as usual. If the user doesn't provide the code, the user will not be allowed to log in again. Therefore, the process of gaining access to other user accounts becomes a very difficult task without getting access to the user's email.

So, we can use this method to protect user accounts. There are some sites that have enabled multi-factor authentication, where the user has to authenticate using two or more additional methods.