WordPress Two Factor Authentication (CMAUTH) - Use Case - How to Create 2FA Login to Your Site With Email
Use Case - How to create 2FA login to your site with email
Note: This guide requires:
- WordPress Two Factor Authentication – This document uses version 1.6.7.
Video Use-Case
Introduction
WordPress Two Factor Authentication rebuilds the account security for your WordPress users by offering integration with four widely accredited two-factor authentication (2FA) methods: Google Authenticator, Mobile Phone SMS, Email verification and Email code. By not relying on the password alone, users feel confident that their credentials and data are stored safely.
Use Case Front-End
Example with email verification code:
![Login with email verification code - WP 2FA Plugin](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e35f4505ff892e6bc2dcbe/file-NX7m53h6ct.gif)
Example with email confirmation link:
![Login with email confirmation link - WordPress Login SMS Verification](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e3659b9e87cb3d0124a2df/file-Xhwy823wjJ.gif)
Use Case Assumptions
In this example use case guide we will consider how to create 2FA login to your site with email verification code and email confirmation link.
Email Code - The login page asks for a unique code, which is sent to the e-mail registered by the user when they try to sign in.
Email Link - Similar to the previous one, this method sends the user a link that allows to login. The link is unique, so it expires after a set amount of time (the duration can be changed in the General tab).
It follows:
- Installing the plugin
- General settings
- Email Code
- Email Link
- Individual user settings
- IPs and devices restrictions
- Appearance
- Notifications
- Labels
- End Result
Installing the Plugin
The process is the same for all CM plugins and add-ons.
![CreativeMinds Customer Account Dashboard - Downloads tab](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/5ea2abc604286364bc98ef13/file-FEHseeA7Qu.png)
- Download the plugin from your customer dashboard.
- Log in to WordPress and navigate to the WordPress Admin → Plugins settings.
- Click on Add New.
- Activate it and add the license.
Learn more: Getting Started - Plugin Overview
General Settings
Enabling email protection on your site is quite simple. To configure all base options you need to navigate to Admin Dashboard → CM Secure Login Pro → Settings → General tab.
![Navigation to the general plugin settings - 2 Factor Authentication for WordPress](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60df69869e87cb3d01249ac7/file-JQTnh15cTn.png)
There you can find a few sections with the options. Let's consider the ones that are important for configuring email protection.
Login
Protection method - This option is a core of the plugin. Here you need to choose which protection method you want to use. You can choose from four protection methods: Google Authenticator, Email verification code, Email confirmation link, SMS verification code. You can also let users choose between SMS code and e-mail code. In this use case we choose Send verification code to user's email address and Send confirmation link to user's email address method. We will consider both examples more detailed further.
Choosing protection method Other Protection Methods
Learn more about other protection methods in these use cases:
Require chosen protection method for all users - Enable this option if you want to apply the previously selected solution for all users.
Choose if to require chosen protection method for all users Require chosen protection method for chosen roles - If previous option is disabled, you can apply chosen protection method only for definite user roles that you can choose in the list.
Requiring chosen protection method for specific user roles TIP: Notify Users
You can notify your users about the changes in login process by sending them emails. You can learn more about how to do it in this guide: WordPress Two Factor Authentication (CMAUTH) - How To - Notify Users About Login Process Changes
Disable passwords
You can disable the password for every user or only for those with certain roles. Note that disabling the password does not mean the users will only need their username to sign in. Instead, they will login with their usernames and the chosen authentication method.
- Disable passwords for all users - Choose Yes to disable passwords for all users.
- Disable passwords for chosen roles - Choose here roles that won't need to use password for login. Works if previous option is disabled (chosen No).
![Disabling passwords - WordPress 2FA](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e2e8fc00fd0d7c253fc80e/file-VGyeiQSJqH.png)
Common
Here you can configure additional security options.
- Expiration time for the email/SMS code or link [minutes] - Define the time in minutes when the sent one-time code expires.
![Specifying expiration time for email/SMS code or link - WordPress Two Factor Authentication Plugin](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e34e0800fd0d7c253fca47/file-QYWEz44058.png)
- Sleep time when the entered code is incorrect [seconds] - Set a delay time to send to the browser if a user enters an invalid code from Google Authenticator or e-mail. This can slow down malicious bots which try to login using the brute-force method.
![Specifying sleep time when the entered code is incorrect - WP 2FA Plugin](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e2eb8c8556b07a2884c55a/file-lKnXzZAArW.png)
- Logout after activity/inactivity time [minutes] - Users will be logged out after this period of activity/inactivity (in minutes). Set to 0 to disable.
![Specifying logout time - WordPress Login SMS Verification](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e2ebaa8556b07a2884c55b/file-TeDGO7KomS.png)
- Logout mode - Here you can choose in which cases to logout the users: after some period of inactivity, or in both cases - activity and inactivity. Works if previous option is enabled.
![Choosing logout mode - 2 Factor Authentication for WordPress](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e2ebcd61c60c534bd6c2db/file-UPDMdpHHWZ.png)
- Characters set to generate the code from - Set the characters that will be used to create the random code.
![Specifying the list of characters for generating codes - WordPress Two Step Authentication](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e34e5e9e87cb3d0124a271/file-KRepSVIBNS.png)
- Code length - Set the authentication code length.
![Specifying code length - WordPress Enable 2FA](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e34e6505ff892e6bc2dc7c/file-hFF3ccChuk.png)
Email Code
Next important tab we consider is Email Code.
In this tab, you can edit the email template that contains a verification code:
![Email template - How to Enable 2FA On WordPress](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e3539c61c60c534bd6c4c0/file-YcSWgQL2Ik.png)
You can use the following shortcodes to add dynamic content to subject and body of these emails:
- Subject shortcodes:
- [blogname]
- [siteurl]
- [userdisplayname]
- [userlogin]
- [useremail]
- Body shortcodes:
- [code] - code that user have to enter on the login form. Note: this shortcode must be in the email.
- [blogname]
- [siteurl]
- [userdisplayname]
- [userlogin]
- [useremail]
In this tab you can also define a URL where the user will be redirected when logged in after using the code. If it's left empty, the default WordPress admin link will be used.
![After login redirection - WordPress 2FA](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e354329e87cb3d0124a295/file-diiFzvL06o.png)
Result
Base configuration is done, so don't forget to click the button Save at the bottom of the page, and let's check how it works on the front-end.
When the user tries to login after 2FA is enabled, he needs to enter his username/email and password, and then click Get verification code. He will be notified that the verification code was sent to his email. He can also see the time when the code expires. In the email the user needs to copy provided code. And then put it to the Verification Code field and click Log In.
![Front-end result - WordPress Two Factor Authentication Plugin](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e35f4505ff892e6bc2dcbe/file-NX7m53h6ct.gif)
TIP: Choose between Email Code and SMS Code
You can let the user to choose between sending the verification code to email or via SMS. You just need to choose Option to choose between SMS & Email in the option Protection method on the General tab.
![Protection method that lets users choose between SMS and email verifications - WP 2FA Plugin](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e373309e87cb3d0124a2fb/file-EFqFBaJA5B.png)
You might also need to customize the labels so the user could distinguish the buttons for Email and SMS codes.
Example on the front-end:
![Choosing between SMS and email verifications - WordPress Login SMS Verification](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e3746000fd0d7c253fcace/file-FViN1DLfDu.png)
Email Link
Another tab Email Link is about configuring email confirmation link protection method.
Note: to make this method work, don't forget to get back to the General tab and switch the option Protection method to Send confirmation link to user's email address.
![Choosing protection method - 2 Factor Authentication for WordPress](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e3662161c60c534bd6c514/file-itkwPWgq6M.png)
In this tab, you can edit the template email for this.
The options are:
Check for the login confirmation every X second - After the user logins with the unique link, the server continually checks for confirmation, to evaluate if the user came from a legitimate source. Here you can set the interval of that check in seconds. Be careful, as this setting that may affect server performance - a lower value might overload it, depending of its capability.
![Specifying time for login confirmation - WordPress Two Step Authentication](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e361db9e87cb3d0124a2d0/file-G6McmcotXN.png)
Email Template - This section is needed for customizing email template: Subject for the email with confirmation link and Body for the email with confirmation link.
![Email template - WordPress Enable 2FA](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e362c18556b07a2884c778/file-vknINFuPIN.png)
You can use the following shortcodes to add dynamic content to subject and body of these emails:
- Subject shortcodes:
- [blogname]
- [siteurl]
- [userdisplayname]
- [userlogin]
- [useremail]
- Body shortcodes:
- [link] - link that user have to open to confirm the login. Note: this shortcode must be in the email.
- [blogname]
- [siteurl]
- [userdisplayname]
- [userlogin]
- [useremail]
Confirmation Page
URL for the back link - The user will be redirected to this link after clicking the confirmation email. If the field is left blank, the user will be directed to the wp-admin.
URL for the backlink Enable auto redirect to back link - Redirects the user to the backlink if the login is successful.
Enabling autoredirect to backlink
Result
Base configuration is done, so don't forget to click the button Save at the bottom of the page, and let's check how it works on the front-end.
When the user tries to login after 2FA is enabled, he needs to enter his username/email and password, then click Log In. He will be notified that the confirmation link was sent to his email. In the email the user needs to click the link and he will be redirected back to the site - logged in.
![Front-end result - WordPress Two Factor Authentication Plugin](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e3659b9e87cb3d0124a2df/file-Xhwy823wjJ.gif)
Individual User Settings
WordPress Two Factor Authentication allows you to apply the chosen secure method not only to all users or specific roles, but also allows you to change settings specifically to each user.
To do this, navigate to Admin Dashboard → Users → All Users.
![Navigation to the list of all users - WP 2FA Plugin](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e2fc4d9e87cb3d0124a0ea/file-EJWJapiQK1.png)
Hover on the needed user and click Edit.
![Editing the user - WordPress Login SMS Verification](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e2fcb78556b07a2884c5c0/file-u26yormrtG.png)
You will see the following panel in the user's page:
![Enabling or disabling 2FA protection for a specific user - 2 Factor Authentication for WordPress](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/61cc994d2c86b66933f56d28/file-J2jFAnyq8L.gif)
On the screenshot above you can see an example of the panel for the user that belongs to the user role with enabled 2FA protection. It works the same for the user roles with disabled 2FA protection.
The options are:
- Disable/enable protection - Either turns the 2FA on or off for this user.
- Clear admin decision - Resets any individual changes in favor of global settings.
IPs and Devices Restrictions
There are a few more features for additional security of the accounts.
To configure them get back to Admin Dashboard → CM Secure Login Pro → Settings.
IP
First tab we need - IP.
You can choose how many IP addresses are allowed for each user role.
The options are:
- Restrict user IPs - Enables the feature.
- User roles affected by IPs restriction - Mark which roles will be affected.
- Maximum of IPs allowed to each user - Choose a number (1 or higher).
- Accept only IPs chosen by the admin - Only allows logins from specific IPs defined by the admin per each user. This means that login attempts from other IPs will be blocked even if more IPs slots are available.
![Enabling IP limits - WordPress Two Step Authentication](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e300b561c60c534bd6c35a/file-DGtqKDR1ZN.gif)
In result, if someone tries to login to the account from new IP, and IPs limit is reached, or this IP is not allowed by the admin, there will be a following message:
![IP protection - WordPress Enable 2FA](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e368f78556b07a2884c78b/file-TIjHBKfign.png)
Learn more about IPs restrictions in this guide: WordPress Two Factor Authentication (CMAUTH) - How To - Restrict User Login By Number of IPs
Device
Another tab we need - Device.
You can restrict certain user roles from logging in from too many different devices.
- Restrict user devices - Enables the feature.
- Select user roles with devices restricting - Mark which roles will be affected.
- Maximum number of devices allowed to user - Choose a number (1 or higher).
![Enabling device limits - How to Enable 2FA On WordPress](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e3243d00fd0d7c253fc99a/file-wPNUpI12i8.gif)
In result, if someone tries to login to the account from new device, and devices limit is reached, there will be a following message:
![Device protection - WordPress 2FA](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e3690b9e87cb3d0124a2e6/file-alYcxSPKVk.png)
Learn more about devices restrictions in this guide: WordPress Two Factor Authentication (CMAUTH) - How To - Restrict User Login By Number of Devices
Appearance
On the Appearance tab you can add and change instructions and modify the appearance of the login form with CSS.
![Login instructions - WordPress Two Factor Authentication Plugin](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e369a361c60c534bd6c521/file-0I0HU0wb0e.png)
- Enable login instructions - Enables this option.
![Displaying login instructions - WP 2FA Plugin](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e32aca61c60c534bd6c429/file-s6tLApv48O.png)
- Login instructions content - Enter the login instructions that will be displayed on the login form.
![Editing login instructions content - WordPress Login SMS Verification](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e32ad18556b07a2884c6b1/file-dS8lreiY2T.png)
- Custom CSS - To further personalize your form, you can insert custom CSS. It will affect the following hooks: wp_head, admin_head, login_head.
![Field for adding custom CSS - 2 Factor Authentication for WordPress](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e32ad88556b07a2884c6b2/file-MrQEjE39fm.png)
Notifications
When a user attempts to log in, he/she receives a code or link.
WordPress Two Factor Authentication allows you to send an email to another user informing about the login attempt. This can be useful to monitor which users are trying to log in and how.
To configure it, navigate to the Notifications tab.
Send auth code to additional email - Enable it to send the code or link to additional email addresses.
Enabling sending auth code to additional email Email address to send the notification - Write here comma separated email addresses. This setting will only have effect if the previous option is set to Yes.
Adding email addresses for sending notifications Enable for chosen roles - Define which user roles will trigger the additional email.
Enabling for chosen roles Email template - Customize the subject and body template of the email.
Email template - Both fields accept shortcodes:
- Subject shortcodes:
- [blogname]
- [siteurl]
- [userdisplayname]
- [userlogin]
- [useremail]
- Body shortcodes:
- [code] - the Email Code or SMS Code.
[link] - link that user have to open to confirm the login.
Note: the email must contain one of these two shortcodes [code] or [link] - depending on the protection method you chose.
- [blogname]
- [siteurl]
- [userdisplayname]
- [userlogin]
- [useremail]
- Subject shortcodes:
- Both fields accept shortcodes:
Example of the e-mail:
![Email example - WordPress Two Factor Authentication Plugin](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e3758000fd0d7c253fcad3/file-7gKcT75ViS.png)
Labels
On the Labels tab you can change the text of every label on the front-end. This feature is especially useful for localizing the form to different languages.
Email Code labels:
![Email code labels - WP 2FA Plugin](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e34b298556b07a2884c71a/file-w1TpIp7DwD.png)
Email Link labels:
![Email link labels - WordPress Login SMS Verification](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e34b579e87cb3d0124a263/file-J57QkCPBUR.png)
IPs and Devices Restriction labels:
![IPs and devices restrictions labels - 2 Factor Authentication for WordPress](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e332079e87cb3d0124a219/file-zdnmfuygZN.png)
End Result
Following instructions found in the plugin and guides, you should be able to create 2FA login to your site with email verification code or email confirmation link.
Use Case Front-End
Example with email verification code:
![Login with email verification code - WordPress Two Step Authentication](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e35f4505ff892e6bc2dcbe/file-NX7m53h6ct.gif)
Example with email confirmation link:
![Login with email confirmation link - WordPress Enable 2FA](http://d33v4339jhl8k0.cloudfront.net/docs/assets/558f9e89e4b01a224b42f278/images/60e3659b9e87cb3d0124a2df/file-Xhwy823wjJ.gif)
![]() |
More information about the WordPress Two Factor Authentication plugin Other WordPress products can be found at CreativeMinds WordPress Store |
![]() |
Let us know how we can Improve this Product Documentation Page To open a Support Ticket visit our support center |