Super Duper Two-Factor Login Wordpress Plugin - Rating, Reviews, Demo & Download
Plugin Description
Super Duper Two-Factor Login adds robust two-factor authentication to your WordPress site. Unlike many alternatives, this plugin is completely free – no hidden costs, no premium tiers, no upsells. Every feature is included from the start.
Two Verification Methods
- TOTP (Authenticator App) – Works with Google Authenticator, FreeOTP+, Authy, Microsoft Authenticator, and any TOTP-compatible app. Setup via QR code or manual key entry.
- Email – Receive a 6-digit code via email on every login. No smartphone required.
Comprehensive Fallback System
- 10 Backup Codes – One-time emergency codes in case you lose your phone. Copy, download, print, or email them to yourself.
- Administrator Recovery Key – Each admin receives a personal 32-character key during setup. Works even when all backup codes are used up.
- FTP Emergency Recovery – As a last resort, create an empty file named
.sdtfa-recoveryinwp-content/via FTP. Temporarily disables 2FA for all administrators. Admins are notified hourly by email.
Enforcement & Trust
- Role-Based Enforcement – Require 2FA for administrators, editors, subscribers, or any role.
- Grace Period – Set a deadline so users have time to set up 2FA before enforcement kicks in.
- Hard Enforcement – Without a grace period, users must complete 2FA setup on the login page before gaining any access.
- Enforcement Areas – Choose where to enforce: admin area, WooCommerce account, checkout, or entire site.
- Trust This Device – Users can save their computer so the 2FA code isn’t required on every login. Configurable duration (1–365 days).
Integration
- WooCommerce – Adds a “Two-Factor Authentication” tab to the My Account page. Enforce 2FA for the account area and checkout.
- Shortcode – Display the user’s 2FA status anywhere with
[sdtfa_status]. - Setup Reminder – A dismissable admin notice with a “Set up now” button. No auto-popups; users open the setup flow only by clicking.
Security
- AES-256-GCM encryption for TOTP secrets at rest
- Secure HttpOnly cookies for trusted devices
- Hashed token storage (never stored in plain text)
- No external dependencies – everything runs locally in pure PHP
- No external API calls, no tracking, no data collection
Privacy & Hardening (optional)
- Hide user data in REST API – Replace sensitive user fields (name, slug, link, avatar) with neutral values for unauthenticated requests. The REST endpoint stays reachable for SEO and import tools, but anonymous visitors no longer see real display names.
- Block author archives – Redirect unauthenticated visitors away from
?author=Nand/author/<slug>/to prevent user enumeration. - Disable password reset – Disable the “Lost your password?” function for administrators and/or selected roles. Useful when 2FA must be the only authentication path.
- Users list column – A clean “SDTFA” column on Users All Users that shows the real 2FA status (TOTP, Email, or off) and replaces duplicate columns added by host mu-plugins or other 2FA plugins.
Translations
Fully translatable with included translations for German (DE/AT/CH), English, French, Spanish, Italian, and Dutch.
Screenshots
Admin notice prompting users to set up 2FA
Setup prompt asking the user to start now or later
Choosing the authentication method: email or authenticator app
App-based authentication – FreeOTP recommended, with download links
Email-based authentication
Email confirmation step
Backup codes – send by email, download, or print
Shortcode displaying the 2FA status on any page
2FA status on the user’s My Account page – inactive
2FA status on the user’s My Account page – active, with the chosen method
Backend admin view: per-account 2FA status and the method in use
Settings: enforcement reminder, which roles must use 2FA, grace period, enforcement areas, validation strictness (strict / normal / tolerant), and trusted-device duration
Shortcode for embedding the 2FA status indicator on any page
Privacy & Hardening: hide user data in the REST API and disable password reset per role
