Comment on Changes To Email Two Factor Authentication For WordPress by S. Leefers.
Hi! I understand why this made more sense: the previous options may have been a little confusing.
However, I wonder whether it is still possible for users to have to verify by e-mail 2FA if – and only if – they’re trying to log in from a *new* IP address? It seems that, in the new version, they have to verify by e-mail 2FA every single time they log in. It seems there is now no longer a way to save users this trouble, or did I miss something?
The same applies to 2FA by session (another very cool option), I think?
In case I wasn’t clear, here is a quote from the old description of 2FA by IP, which is the way I’d like it to work:
“So, when 2-factor authentication is enabled by IP address, and user attempts to log into their account, the system will ask:
– What is the IP address of the connecting user. (you can find your IP address, for example, by going here)
– It will then look up the database and ask – has this username validated their identity while connected to the site using that IP address?
If the answer is ‘Yes’, then the login will be permitted.
If the answer is ‘No’, login will be temporarily rejected, and an email sent to that user’s registered email address asking them to click a verification link.”
