Opened 10 years ago
Last modified 6 years ago
#32401 new enhancement
Multi step authentication - adding hooks to wp-login.php
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.2.2 |
Component: | Login and Registration | Keywords: | |
Focuses: | Cc: |
Description
At the moment it's very difficult to add extra steps to wp-login.php.
There are several situations where a second step is necessary:
- There are TOTP plugins hosted on WordPress.org but they all assume every user will use 2FA and so show the field for the TOTP token in the login form. That's not appropriate for the situation where some users will have it enabled and some won't.
- If you send a token to a user via SMS then you need a second step in the form after the user has typed their username/password.
- If you use a captcha that doesn't target every user (i.e. it may be based on how many failed attempts there have been in the past hour for each account) that needs a second step too.
The whole process of adding a second step to the login process is very hacky and involves copying lots of code from wp-login.php (which as I think we all know leads to very fragile plugins).
Note that this ticket is not proposing including any kind of 2FA into WordPress core. This ticket is only about adding hooks to wp-login.php to make it much easier for people writing 2FA (and other authentication-related) plugins.
Note: See
TracTickets for help on using
tickets.