DocsOEngage11. Two-Factor Authentication

Reference

11. Two-Factor Authentication

OEngageorravo.com/docs/oengage/11-two-factor-authentication

TOTP (Google Authenticator)

Standard RFC 6238 TOTP — compatible with any TOTP app (Google Authenticator, Authy, 1Password)
Pure PHP implementation — no external library dependency
32-character base32 secret stored per user
±1 code window (30-second tolerance)

Email Code

6-digit numeric code sent to user's email
10-minute expiry via transient

Setup (user-side)

User navigates to profile page, requests 2FA setup
AJAX action or_setup_2fa generates a secret and returns an otpauth:// QR URI
User scans QR code in their authenticator app, enters the current code to confirm

Admin

Admin can see 2FA status in user view
To disable: admin can remove user meta or_2fa_enabled and or_2fa_secret

Previous10. Magic Link Login

Next12. Brute Force Protection

11. Two-Factor Authentication — OEngage Docs — Orravo