(Beta1). Based on the Two Factor plugin, a feature project for WordPress Core, a first trial version of 2FA is now available on WordPress.org. While it’s not in a state yet suitable for rollout across the network, it is ready to be tested by a subset of users—based on ease of segmentation that’s Core Committers and users that are Super Admins. During the testing period it is only in place on login.wordpress.org and does not yet protect other parts of the network such as SVN or Trac.
Since 2FA is part of account security, the UI to enable it will live in the support forum’s profile page. From there, users can enable and disable it, as well as generate backup codes (alongside updating their password to a more secure one, generated by their favorite password manager).
Two Factor Authentication on WordPress.org will use a Time-based One-time Password Algorithm as the primary authentication method. Popular apps for that method are Authy or Google Authenticator, which make it easy to manage multiple accounts that are 2FA enabled. Secondary methods (in case users don’t have access to their phone) will be via email, Slack (if 2FA is enabled there too), or printable backup codes.
All code is open-sourced and the work on this feature is trac’d in #77-meta, where you can follow along with the latest updates to this feature. In case there are not too many bugs uncovered during this first trial period, the current plan is to improve this enhancement over the next few weeks, and make it available to all users eventually.
+make.wordpress.org/core +make.wordpress.org/community +make.wordpress.org/test