WordPress.org

Make WordPress Core

Opened 4 years ago

Last modified 4 months ago

#32401 new enhancement

Multi step authentication - adding hooks to wp-login.php

Reported by: tomdxw Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.2.2
Component: Login and Registration Keywords:
Focuses: Cc:

Description

At the moment it's very difficult to add extra steps to wp-login.php.

There are several situations where a second step is necessary:

  • There are TOTP plugins hosted on WordPress.org but they all assume every user will use 2FA and so show the field for the TOTP token in the login form. That's not appropriate for the situation where some users will have it enabled and some won't.
  • If you send a token to a user via SMS then you need a second step in the form after the user has typed their username/password.
  • If you use a captcha that doesn't target every user (i.e. it may be based on how many failed attempts there have been in the past hour for each account) that needs a second step too.

The whole process of adding a second step to the login process is very hacky and involves copying lots of code from wp-login.php (which as I think we all know leads to very fragile plugins).

Note that this ticket is not proposing including any kind of 2FA into WordPress core. This ticket is only about adding hooks to wp-login.php to make it much easier for people writing 2FA (and other authentication-related) plugins.

Change History (0)

Note: See TracTickets for help on using tickets.