Hi @redelefant,
The purpose of TOTP (the method Wordfence uses for 2FA) is to provide you with a password that changes based on what time it is.
How does this work?
1. Wordfence creates a QR code (which is a random secret string)
2. Your 2FA app scans and remembers this secret string
Then, when you want to login:
1. Your 2FA app creates a 6-digit token, using the secret string + the current time
2. Wordfence also creates a 6-digit token (because it knows your secret string and the current time)
3. The two codes are compared, and if they match, you’re logged in!
So what have we done?
We’ve managed to prove that we have the secret key – without actually handing it over. It’s not possible to reverse the secret key using the 6-digit token, and the token itself expires very quickly (usually 30-60 seconds).
Now that you have a better understanding, these questions should be easier to answer:
4. Is the Authentication code new each time? Is there a way to access this online?
No. These codes expire every 30-60 seconds, and they can only be generated if the 2FA app knows what the secret key is. So you can only access these codes on devices which you’ve setup 2FA on.
3. If I set up 2 FA from someone else’s phone, will I need to access that phone in order to sign in every time?
Because the secret key is only saved on that person’s phone, you will need access to that phone in order to generate the valid tokens in order to login.
2. I don’t have a smart phone or tablet. I have email and a laptop though. Can I still set up 2 FA?
There are programs on the PC that allow you to enter the secret key, and it will generate 2FA codes for you. You need to convert the QR images into plaintext however.
https://chrome.google.com/webstore/detail/authenticator/bhghoamapcdpbohphigoooaddinpkbai?hl=en
1. I have several users for the site. Should I set up 2FA for all of them?
Ideally, however you cannot setup 2FA for them. They need to use their own devices (so it saves the secret key onto something they own).
Dave
