2FA Application Password

Hi @nuttyhiker,

Reading the Application Passwords: Integration Guide on Make WordPress Core will answer your question (and more ;-)).

+++ To prevent any confusion, I’m not SolidWP +++

That actually didn’t answer my question at all. I don’t have that option under the Edit User page like it suggests. The 2FA is an option from this specific plugin and there is no option to generate a application password.

Hi @nuttyhiker,

Application Passwords is a WordPress Core feature.

There should be an Application Passwords section right after the Account Management section in the user profile page. For the features’ UI to fully function it does (by default) require HTTPS (except on a local env).

However there are also plugins out there that by default disable the WordPress Core Application Passwords feature…

To enable the Application Passwords feature add the line below to the active theme?functions.php?file:

add_filter( 'wp_is_application_passwords_available', '__return_true' );

• This reply was modified 9 months ago by nlpro.
• This reply was modified 9 months ago by nlpro.

It is definitely not there nor have I ever seen that. I do have a SSL cert installed so my site renders https. I do not have any plugins installed that would disable that unless this plugin does that. I added that code to my functions file but again it doesn’t do anything. Looking at the comments at the link you sent it appears WP never added this function to the core like was expected?

Hi @nuttyhiker,

The Application Passwords feature was initially made available as a plugin, but ever since the release of WordPress 5.6 it is part of WordPress Core.

The UI rendering of the Application Passwords feature in the user profile page starts at line #767 ( WordPress 6.4.3) of the wp-admin/user-edit.php file with:

<?php if ( wp_is_application_passwords_available_for_user( $user_id ) || ! wp_is_application_passwords_supported() ) : ?>

Well, I don’t know what to tell you. It’s not there nor has it ever been. I have never seen that option in the user profile. When I place your code in my child’s theme functions file, it still does not show in the user profile. I have Set New Password, Logout Everywhere, and Configure 2FA within the user profile.

Hi @nuttyhiker,

Ok, so let’s break this down. There are 2 conditions which when met will cause the beginning of the Application Password section to get rendered. Since there is nothing related to Application Passwords rendered both conditions are not met. Let’s start with the easy one, the second condition:

! wp_is_application_passwords_supported();
// Equals:
// false === wp_is_application_passwords_supported();

Since your site has a SSL cert installed this function returns true. So indeed this condition is not met.

So that means to get the beginning of the Application Password section rendered, the first condition must be met:

wp_is_application_passwords_available_for_user( $user_id );
// Equals:
// true === wp_is_application_passwords_available_for_user( $user_id );

This function starts with 3 conditions and ends with a filter:

if ( ! wp_is_application_passwords_available() ) {
	return false;
}

if ( ! is_object( $user ) ) {
	$user = get_userdata( $user );
}

if ( ! $user || ! $user->exists() ) {
	return false;
}

return apply_filters( 'wp_is_application_passwords_available_for_user', true, $user );

When the first or third condition is met, a boolean false value is returned. So one of these conditions may evaluate to true, return a false value and thus cause the Application Passwords section not to render. The first condition is:

! wp_is_application_passwords_available();
// Equals:
// false === wp_is_application_passwords_available();

Since the site has a SSL cert installed this function returns true. So this condition is not met.

The third condition checks the user data. Basically if the user data is invalid the third condition evaluates to true and a false value is returned.

Since my iPad battery is running out of juice I’ll save this post now and continue in another post …

• This reply was modified 9 months ago by nlpro.
• This reply was modified 9 months ago by nlpro.
• This reply was modified 9 months ago by nlpro.

Ok, switched from the iPad to my laptop ??

So the only way to get a true value returned is the last option, the wp_is_application_passwords_available_for_user filter. Note the filter defaults to a true value. This is because by default all users can make use of application passwords.

Conclusion is that you have to get passed 2 conditions to reach the filter that is the only chance for returning a true value. On a site with a SSL cert installed, odds are against the Application Passwords section getting rendered ??

• This reply was modified 9 months ago by nlpro.
• This reply was modified 9 months ago by nlpro.

Hi @nuttyhiker,

I do not have any plugins installed that would disable that unless this plugin does that.

Turns out the Solid Security plugin hooks into the wp_is_application_passwords_available_for_user filter when the 2FA feature is enabled … (I was not aware of that).

You have to navigate to Security > Settings > User Groups and, under section Two Factor, enable the Application Passwords toggle for the right group (user(s)).

Hope this finally deals with the issue ??

• This reply was modified 8 months, 4 weeks ago by nlpro.
• This reply was modified 8 months, 4 weeks ago by nlpro.

That works! Thank you!