Super Duper Two-Factor Login

Super Duper Two-Factor Login adds robust two-factor authentication to your WordPress site. Unlike many alternatives, this plugin is completely free – no hidden costs, no premium tiers, no upsells. Every feature is included from the start.

Two Verification Methods

• TOTP (Authenticator App) – Works with Google Authenticator, FreeOTP+, Authy, Microsoft Authenticator, and any TOTP-compatible app. Setup via QR code or manual key entry.
• Email – Receive a 6-digit code via email on every login. No smartphone required.

Comprehensive Fallback System

• 10 Backup Codes – One-time emergency codes in case you lose your phone. Copy, download, print, or email them to yourself.
• Administrator Recovery Key – Each admin receives a personal 32-character key during setup. Works even when all backup codes are used up.
• FTP Emergency Recovery – As a last resort, create an empty file named .sdtfa-recovery in wp-content/ via FTP. Temporarily disables 2FA for all administrators. Admins are notified hourly by email.

Enforcement & Trust

• Role-Based Enforcement – Require 2FA for administrators, editors, subscribers, or any role.
• Grace Period – Set a deadline so users have time to set up 2FA before enforcement kicks in.
• Hard Enforcement – Without a grace period, users must complete 2FA setup on the login page before gaining any access.
• Enforcement Areas – Choose where to enforce: admin area, WooCommerce account, checkout, or entire site.
• Trust This Device – Users can save their computer so the 2FA code isn’t required on every login. Configurable duration (1–365 days).

Integration

• WooCommerce – Adds a “Two-Factor Authentication” tab to the My Account page. Enforce 2FA for the account area and checkout.
• Shortcode – Display the user’s 2FA status anywhere with [sdtfa_status].
• Setup Reminder – A dismissable admin notice with a “Set up now” button. No auto-popups; users open the setup flow only by clicking.

Security

• AES-256-GCM encryption for TOTP secrets at rest
• Secure HttpOnly cookies for trusted devices
• Hashed token storage (never stored in plain text)
• No external dependencies – everything runs locally in pure PHP
• No external API calls, no tracking, no data collection

Privacy & Hardening (optional)

• Hide user data in REST API – Replace sensitive user fields (name, slug, link, avatar) with neutral values for unauthenticated requests. The REST endpoint stays reachable for SEO and import tools, but anonymous visitors no longer see real display names.
• Block author archives – Redirect unauthenticated visitors away from ?author=N and /author/<slug>/ to prevent user enumeration.
• Disable password reset – Disable the “Lost your password?” function for administrators and/or selected roles. Useful when 2FA must be the only authentication path.
• Users list column – A clean “SDTFA” column on Users → All Users that shows the real 2FA status (TOTP, Email, or off) and replaces duplicate columns added by host mu-plugins or other 2FA plugins.

Translations

Fully translatable with included translations for German (DE/AT/CH), English, French, Spanish, Italian, and Dutch.