TOTP (Authenticator App)
Users configure TOTP in Profile → Security → Enable Authenticator App:
- Plugin generates a TOTP secret using RFC 6238
- Displays QR code (otpauth:// URI) for scanning with Google Authenticator, Authy, etc.
- User enters their first 6-digit code to confirm
- On subsequent logins, they enter a 6-digit code
Recovery codes: 8 single-use backup codes are generated on TOTP setup and shown once. They're stored as bcrypt hashes.
Email Code 2FA
When TOTP is not configured, OEngage can send a 6-digit code via email on each login:
- Code is valid for 10 minutes
- Stored as a hashed WordPress transient
- Configurable: require for all users, or let users opt in
PHP API
php// Check if user has 2FA enabled
OEngage_TwoFactor::is_enabled( int $user_id ): bool
// Get 2FA method for user
OEngage_TwoFactor::get_method( int $user_id ): string // 'totp' | 'email' | ''
// Verify a TOTP code
OEngage_TwoFactor::verify_totp( int $user_id, string $code ): bool
// Verify an email code
OEngage_TwoFactor::verify_email_code( int $user_id, string $code ): bool
// Generate and send email code
OEngage_TwoFactor::send_email_code( int $user_id ): bool
// Disable 2FA for a user (admin only)
OEngage_TwoFactor::disable( int $user_id ): void