Two-Factor Developer APIs

The Two-Factor module provides a number of developer APIs to customize behavior beyond the options exposed in the module's configuration page.

Hooks and Filters

Limit Allowed Two-Factor Methods

By default, a user can choose to use any of the enabled Two-Factor methods. By using the itsec_two_factor_allowed_providers_for_user filter the methods can be limited on a per-user basis. For example, the following code snippet restricts non-administrator users to using the Email Two-Factor method.

add_filter( 'itsec_two_factor_allowed_providers_for_user', function ( $providers, WP_User $user ) {
if ( ! $user->has_cap( 'manage_options' ) ) {
return [ \Two_Factor_Email::class ];
}

return $providers;
}, 10, 2 );

If a user has no allowed providers, the Two-Factor settings interface will be hidden from their WordPress profile.

Limit Available Two-Factor Methods

The Require Two FactorVulnerable User Protection, and Vulnerable Site Protection features can be used to enable Two-Factor for a user even if they haven't configured Two-Factor for themselves. When this is the case, the Email Two-Factor method will automatically be added to the list of available providers for a user, regardless of if it is excluded with the itsec_two_factor_allowed_providers_for_user filter.

If this behavior isn't desired, for example you wish to completely disable Two-Factor for certain users, but still want to keep the Vulnerable User Protection and Vulnerable Site Protection features enabled, return an empty array of providers.

add_filter( 'itsec_two_factor_available_providers_for_user', function ( $providers, WP_User $user ) {
if ( ! $user->has_cap( 'manage_options' ) ) {
return [];
}

return $providers;
}, 10, 2 );

When using this filter to disable all Two-Factor methods for a user, make sure to also return an empty list from the itsec_two_factor_allowed_providers_for_user filter. Otherwise, the settings interface will not be hidden from the user. In other words, whenever limiting the available Two-Factor methods for a user make sure those methods are also not allowed.

Powered by Zendesk