Two-Factor Authentication
Add a second authentication step for admin login and / or bid placement. Useful for high-value auctions and platform admins.
Two scopes
| Scope | Setting | Effect |
|---|---|---|
| Admin login | wkafw_2fa_required_for_admin | Admins must complete 2FA at WP login |
| Bid placement | wkafw_2fa_required_for_bid | Bidders must complete 2FA before each bid (or once per session) |
Both default to no.
How it works
When 2FA is required:
- User submits primary credentials (username + password, or click Place Bid)
- Plugin sends a 6-digit code via SMS / email / authenticator
- User enters the code
- Code valid → action proceeds
Codes:
- 6 digits, randomly generated
- Valid for 5 minutes
- One-use only
- Generated server-side, never stored client-side
Channels
| Channel | Setup needed |
|---|---|
| None (always available) | |
| SMS | Twilio configured + user phone verified |
| Authenticator app (TOTP) | User opts in via their account settings |
| Push | Firebase configured |
User picks their preferred channel in My Account → Security → Two-factor.
Enabling site-wide
Auctions → Settings → Fraud → Two-Factor:
| Setting | Default | Effect |
|---|---|---|
| Required for admin | no | Forces 2FA on every admin login |
| Required for bid | no | Adds 2FA step to bid form |
| Bid 2FA frequency | per_session | Once per session vs every bid |
| 2FA threshold (bid amount) | 0 | Only require above this bid amount |
| Default channel | email | Fallback if user hasn't chosen |
Per-user configuration
Each user manages their own setup at My Account → Security:
- Choose preferred channel (email / SMS / authenticator app)
- For authenticator app: scan QR with Google Authenticator, Authy, etc.; verify with current code
- Backup codes generated — 10 single-use recovery codes
- Test — sends a test code to verify channel works
Recovery
If a user loses access (phone lost, email account compromised):
- Use a backup code at the 2FA prompt
- Backup codes are single-use; regenerate after use
- If no backup codes left, admin can reset the user's 2FA from WP Users → Edit User → Reset 2FA
Bid 2FA modes
wkafw_2fa_bid_frequency:
| Mode | Behavior |
|---|---|
per_session | One 2FA challenge per browser session; subsequent bids skip |
every_bid | Challenge before every bid placement (high-friction; high-security) |
threshold | Only when bid > wkafw_2fa_bid_threshold |
first_bid_per_auction | Once per auction (good middle ground) |
Admin 2FA
Forced via wkafw_2fa_required_for_admin = yes. Affects:
- WP login for admins, shop managers, and editors
- Auction-specific admin actions (manual bid, auction cancel, dispute resolution)
- Wallet operations (top-up, refund)
Other roles unaffected unless wkafw_2fa_required_for_subscriber = yes is set.
Compatibility
| With | Notes |
|---|---|
| WP standard 2FA plugin | Compatible — both can be active; user's primary 2FA setup is used |
| Wordfence 2FA | Compatible |
| Google Authenticator (free WP plugin) | Compatible — TOTP secrets are shared if wkafw_2fa_share_totp_secret = yes |
| YubiKey / hardware tokens | Via WebAuthn (if enabled) |
Common questions
"Will admins lock themselves out?"
Backup codes are generated on first 2FA setup. Encourage admins to save them. Worst case, another admin can disable a user's 2FA via WP Users → Edit.
"What about WP login by email?"
Plugin's 2FA hooks into WP's auth flow regardless of login method (username or email).
"Performance impact?"
Negligible — 2FA checks add ~5 ms per protected action. For sites with high bid volume, set wkafw_2fa_bid_frequency = per_session to avoid challenging every bid.