julien731
Remember Users
Following a feature request on Facebook, it could be a good idea to check for the cookie before asking for TOTP.
The TOTP check is hooked on wp_authenticate_user (through wp_authenticate_username_password ) which has priority 20, while wp_authenticate_cookie, on the same hook, has priority 30. This means that an error is returned because of the TOTP before the cookie is check.
An easy solution would be to manually check for wp_authenticate_cookie within our auth function.
I don't know the details of how Google does it for their logins beyond that they do set long lived cookie in browser when 2FA is successful. That then eliminates the need to enter the 2FA code for a long time. I'm assuming that's built into their API, but I can't really find and developer documentation on it.
https://support.google.com/accounts/answer/2544838?hl=en
As well, if if you move TOTP check on a subsequent page per #11, then you can make a really great user experience here:
- don't prompt for TOTP at all if the user doesn't have it enabled
- don't prompt for TOTP if they have an existing, valid cookie (and we choose to trust it)
- do prompt for TOTP if they have valid password, have TOTP enabled and don't have a cookie
In the process of releasing version 1.2 I'm checking this issue but can't really figure out what the problem is. The cookie verification does work even with the plugin enabled. All of the sites I use it on have me logged-in for a month.
I re-read my own comment though and it looks like I dug something up but can't figure out what I was thinking! Is there really a problem here?