Overview
Two-Factor Authentication (2FA) adds an extra layer of security by requiring users to verify their identity with a second factor after entering their password. This Pro feature protects against stolen passwords and unauthorized access.
What is Two-Factor Authentication?
The Two Factors
Factor 1: Something You Know
Your password or passphrase
Access to your email (verification code)
Even if someone steals your password, they cannot access your account without also having access to your email to receive the verification code.
Benefits of 2FA
Enhanced Security
Compromised passwords alone cannot grant access—the attacker also needs your verification code.
Even if someone knows your password, they cannot log in without the second factor.
Bots and automated brute force attacks are rendered useless against 2FA-protected accounts.
Meets security requirements for HIPAA, SOC 2, PCI-DSS, and other compliance standards.
Users feel more secure knowing their accounts have an extra layer of protection.
Available 2FA Methods
Email-Based Verification (Available Now)
How it works:- User enters username and password
- System sends 6-digit code to user’s email
- User retrieves code from email
- User enters code on verification screen
- Access granted upon successful verification
Code Length: 6 digits
Code Expiration: 10 minutes
Delivery Method: Email
Best for:- General websites
- Business applications
- Membership sites
- E-commerce platforms
Future Methods (Coming Soon)
TOTP Authenticator Apps (Planned v1.1)Google Authenticator
Microsoft Authenticator
Authy
SMS Verification (Planned v1.2)Requires Twilio or similar service
Text message delivery
International support
Who Should Use 2FA?
Recommended User Roles
| User Role | Require 2FA? | Rationale |
|---|---|---|
| Administrator | ✅ Yes | Highest security risk—full site control |
| Editor | ✅ Yes | Access to all content and publishing |
| Author | ⚠️ Optional | Moderate risk—can publish content |
| Contributor | ⚠️ Optional | Limited access—cannot publish |
| Subscriber | ❌ No | Read-only access—minimal risk |
| Customer | ⚠️ Optional | Consider for financial data access |
Use Cases by Industry
Healthcare & Medical
HIPAA Compliance:✓ Protect patient data
✓ Secure medical records
✓ Meet compliance requirements
✓ Required for: All staff with PHI access
Financial Services
PCI-DSS Compliance:✓ Secure payment information
✓ Protect financial data
✓ Prevent fraud
✓ Required for: All staff with payment access
E-Commerce
Customer Protection:✓ Secure customer accounts
✓ Protect order history
✓ Prevent fraudulent purchases
✓ Recommended for: High-value customer accounts
Corporate Intranet
Business Security:✓ Protect company data
✓ Secure employee information
✓ Prevent unauthorized access
✓ Required for: All employees
Educational Platforms
Student Data Protection:✓ Protect student records
✓ Secure grades and assignments
✓ Meet FERPA requirements
✓ Required for: Faculty and staff
User Experience Flow
Login Process Without 2FA
Traditional Login (3 steps):- Enter username
- Enter password
- Click “Log In” → Access granted
Login Process With 2FA
Enhanced Login (5 steps):- Enter username
- Enter password
- Receive email with verification code
- Enter 6-digit code
- Click “Verify” → Access granted
Adds approximately 30-60 seconds to login time (time to check email and enter code).
What Users See
Step 1: Normal Login Screen
Email or Username: john@example.com
Password: ••••••••••
☐ Remember Me
[Log In Button]
Step 2: Verification Code Screen
✉️ Email Verification Required
We’ve sent a 6-digit verification code to:
john@example.com
This code will expire in 10 minutes.
Enter Verification Code:
[___] [___] [___] [___] [___] [___]
[Verify Button]
Didn’t receive it? [Resend Code]
Step 3: Success Message
✓ Verification Successful
Redirecting to your dashboard…
Configuration Options
Global Settings
Enable/Disable 2FA:Settings → Attributes User Access → Security
Toggle: “Enable Two-Factor Authentication”
Role-Based Requirements
Select which roles require 2FA:☑ Require for Administrators
☑ Require for Editors
☐ Require for Authors
☐ Require for Contributors
☐ Require for Subscribers
☐ Require for Customers
Excluded Roles
Exempt specific roles from 2FA:☐ Support Staff
☐ Service Accounts
☐ Emergency Access
Only exclude roles when absolutely necessary. Each exclusion reduces overall security.
Code Settings
Verification Code Configuration:Code Length: 6 digits (fixed)
Expiration Time: 10 minutes (fixed)
Delivery Method: Email
Resend Cooldown: 1 minute
Security Considerations
Strengths
- Password breach protection: Stolen passwords are useless without code
- Phishing resistance: Codes expire quickly, limiting phishing effectiveness
- Brute force immunity: Cannot guess codes—too many combinations
- Audit trail: All 2FA attempts logged for review
Limitations
Users must have access to their email to log in. Lost email access = locked account (see recovery procedures).
Email delivery can take 1-5 minutes depending on mail server. Users must be patient.
Verification emails may be caught by spam filters. Users should check junk folders.
Email Requirements
Email Server Configuration
Requirements for 2FA emails:- Working SMTP: Reliable email delivery configured
- SPF/DKIM records: Proper authentication to avoid spam
- Fast delivery: Emails arrive within 1-2 minutes
- Whitelist domain: Ensure emails not blocked by spam filters
Testing Email Delivery
Before enabling 2FA:- Go to Settings → Attributes User Access → Email
- Click “Send Test Email”
- Check inbox for test email
- Verify email arrives within 2 minutes
- Check spam/junk folder if not in inbox
Rollout Strategy
Phased Deployment (Recommended)
Phase 1: Administrators OnlyWeek 1: Enable 2FA for admin accounts
Test thoroughly, resolve any email issues
Phase 2: Editors and StaffWeek 2-3: Add editors and key staff
Monitor for issues, provide support
Phase 3: All UsersWeek 4+: Enable for all applicable roles
Communicate changes to users in advance
Communication Plan
Before Enabling 2FA: 1. Email Announcement (1 week before):Subject: Important: Two-Factor Authentication Coming Soon
Dear [User],
Starting [Date], we’re implementing Two-Factor Authentication
for enhanced security. This will require you to enter a code
from your email when logging in.
What to expect:
- Extra verification step at login
- Code sent to your registered email
- Adds 30-60 seconds to login time
Benefits:
- Enhanced account security
- Protection against password theft
- Compliance with security standards
Questions? Contact support@example.com
2. Login Page Notice:“Two-Factor Authentication will be required starting [Date].
Ensure your email address is up to date in your profile.”
3. Support Resources:Create FAQ page
Prepare support staff
Document common issues
Best Practices
Enable 2FA on test accounts before deploying to all users. Verify email delivery works reliably.
Begin with administrators only, then gradually expand to other roles as you build confidence.
Notify users at least one week in advance. Explain what’s changing and why it benefits them.
Have support staff ready to help users during initial rollout. Most issues are email-related.
Check audit logs for failed 2FA attempts. High failure rates indicate user confusion or email issues.
Performance Impact
Server Resources
Minimal Impact:Email generation: Negligible CPU
Database queries: +1 per login
Email sending: Handled by mail server
Storage: +1 record per verification code
No significant performance degradation expected.User Experience
Time Addition:Email check time: 10-60 seconds
Code entry time: 5-10 seconds
Total added time: 15-70 seconds per login
Trade-off:Slight inconvenience for significant security improvement.
