Is user logged in using authenticator?

I think something like this psuedocode would work:

if ( user has 2fa enabled ) {
    if ( XMLRPC_REQUEST is false or undefined AND APP_REQUEST is false or undefined ) {
         they logged in with a 2fa token instead of an app password
    }
}

Basically, if they have 2FA enabled for their account, then you know that they had to either login with a 2FA token, or with an application password.

If XMLRPC_REQUEST and APP_REQUEST are both false, then you know it’s a typical request, and that would require a 2FA token.

In the next release, usermeta will contain information about the last 2FA logintime.
Would that serve your purpose ?

Best regards
Henrik Schack

Oh by the way.
If a user has my plugin enabled then he’ll always be logged in via it.
Otherwise he’ll be using the WordPress app and wont have access to any admin pages.
Or am I wrong ?

Best regards
Henrik Schack

I assumed that Dennis_swe’s use case was to restrict certain highly-sensitive admin pages to admins with 2FA enabled.

So, you might setup a site for a client and have 2 admin accounts: 1 for the developer and 1 for the client. The developer would have 2FA enabled, but the client may not be tech-savvy enough to use 2FA or have a strong password, so you’d want to lock down certain pages, while still giving them access to less critical ones.

In an ideal world you’d just make the client an Editor or something, but that’s not always possible for political/practical/etc reasons.