Overview
The Two-Factor Authentication add-on adds an extra security layer to download access. Users must verify their identity through a second factor—OTP codes, authenticator apps, or email verification—before downloading protected files.
Prerequisites
- WordPress Download Manager installed
- 2FA add-on installed and activated
- SMTP configured for email verification (optional)
- Users have access to authenticator app or email
Benefits
| Feature | Benefit |
|---|---|
| Enhanced Security | Beyond password protection |
| Multiple Methods | TOTP, Email, SMS options |
| Per-Package Control | Choose which packages need 2FA |
| User-Friendly | Simple verification process |
| Audit Trail | Track verification attempts |
Authentication Methods
TOTP (Authenticator Apps)
Time-based One-Time Password using apps:
- Google Authenticator
- Authy
- Microsoft Authenticator
- 1Password
- Any TOTP-compatible app
Email Verification
Code sent to user’s registered email.
SMS Verification
Code sent via SMS (requires SMS gateway).
Configuration
Global Settings
Go to Downloads > Settings > Two-Factor Auth:
┌─────────────────────────────────────────────────────────────┐ │ Two-Factor Authentication Settings │ ├─────────────────────────────────────────────────────────────┤ │ │ │ Enable 2FA: │ │ ☑ Enable two-factor authentication │ │ │ │ Available Methods: │ │ ☑ TOTP (Authenticator App) │ │ ☑ Email Verification │ │ ☐ SMS Verification (requires SMS gateway) │ │ │ │ Default Method: │ │ [TOTP ▼] │ │ │ │ Apply To: │ │ ○ All packages │ │ ● Selected packages only │ │ ○ Packages with specific roles │ │ │ └─────────────────────────────────────────────────────────────┘
TOTP Settings
┌─────────────────────────────────────────────────────────────┐ │ TOTP Configuration │ ├─────────────────────────────────────────────────────────────┤ │ │ │ Issuer Name: (appears in authenticator app) │ │ [Your Site Name ] │ │ │ │ Code Length: │ │ [6 digits ▼] │ │ │ │ Time Window: │ │ [30] seconds (standard is 30) │ │ │ │ Grace Period: │ │ ☑ Allow previous code │ │ Extends validity by one time window │ │ │ │ Recovery Options: │ │ ☑ Generate backup codes │ │ Number of codes: [10] │ │ │ └─────────────────────────────────────────────────────────────┘
Email Verification Settings
┌─────────────────────────────────────────────────────────────┐
│ Email Verification │
├─────────────────────────────────────────────────────────────┤
│ │
│ Code Type: │
│ ○ 6-digit numeric code │
│ ● Magic link (click to verify) │
│ │
│ Code Expiration: │
│ [10] minutes │
│ │
│ Email Template: │
│ Subject: [Your verification code ] │
│ │
│ Body: │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Your verification code is: {code} │ │
│ │ │ │
│ │ This code expires in {expiry} minutes. │ │
│ │ │ │
│ │ If you didn't request this, please ignore. │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ Resend Limit: │
│ [3] times per session │
│ Cooldown: [60] seconds between resends │
│ │
└─────────────────────────────────────────────────────────────┘
User Setup
First-Time TOTP Setup
When user accesses 2FA-protected download:
┌─────────────────────────────────────────────────────────────┐ │ Set Up Two-Factor Authentication │ ├─────────────────────────────────────────────────────────────┤ │ │ │ Step 1: Install an authenticator app │ │ Google Authenticator, Authy, or similar │ │ │ │ Step 2: Scan this QR code │ │ │ │ ┌────────────────┐ │ │ │ ▓▓▓▓▓▓▓▓▓▓▓▓▓▓ │ │ │ │ ▓▓▓▓▓▓▓▓▓▓▓▓▓▓ │ │ │ │ ▓▓▓▓ QR ▓▓▓▓▓▓ │ │ │ │ ▓▓▓▓▓▓▓▓▓▓▓▓▓▓ │ │ │ │ ▓▓▓▓▓▓▓▓▓▓▓▓▓▓ │ │ │ └────────────────┘ │ │ │ │ Can't scan? Manual entry: │ │ Secret: JBSW Y3DP EHPK 3PXP │ │ │ │ Step 3: Enter the 6-digit code from your app │ │ │ │ [ ] [ ] [ ] [ ] [ ] [ ]│ │ │ │ [Verify and Continue] │ │ │ └─────────────────────────────────────────────────────────────┘
Subsequent Verifications
┌─────────────────────────────────────────────────────────────┐ │ Verification Required │ ├─────────────────────────────────────────────────────────────┤ │ │ │ Enter the 6-digit code from your authenticator app: │ │ │ │ [ ] [ ] [ ] [ ] [ ] [ ] │ │ │ │ [Verify] │ │ │ │ ─────────────────────────────────────────────────────────── │ │ ○ Use a different method │ │ ○ Use backup code │ │ │ └─────────────────────────────────────────────────────────────┘
Email Verification Flow
┌─────────────────────────────────────────────────────────────┐ │ Email Verification │ ├─────────────────────────────────────────────────────────────┤ │ │ │ We've sent a verification code to: │ │ j***n@example.com │ │ │ │ Enter the code: │ │ [ ] [ ] [ ] [ ] [ ] [ ] │ │ │ │ [Verify] │ │ │ │ Didn't receive it? │ │ [Resend Code] (available in 45 seconds) │ │ │ │ ○ Try a different method │ │ │ └─────────────────────────────────────────────────────────────┘
Per-Package 2FA
Enable for Specific Packages
In package editor, Security tab:
┌─────────────────────────────────────────────────────────────┐ │ Two-Factor Authentication │ ├─────────────────────────────────────────────────────────────┤ │ │ │ ☑ Require 2FA for this package │ │ │ │ Allowed Methods: │ │ ☑ TOTP (Authenticator) │ │ ☑ Email │ │ ☐ SMS │ │ │ │ Bypass for: │ │ ☐ Administrators │ │ ☐ Users who already verified this session │ │ ☐ Specific user roles: [ ▼] │ │ │ │ Verification Validity: │ │ ○ Per download │ │ ● Per session │ │ ○ Per day │ │ ○ Until logout │ │ │ └─────────────────────────────────────────────────────────────┘
Backup Codes
Generating Backup Codes
Users can generate backup codes for recovery:
┌─────────────────────────────────────────────────────────────┐ │ Backup Codes │ ├─────────────────────────────────────────────────────────────┤ │ │ │ Save these codes in a safe place. Each can only be used once.│ │ │ │ ┌─────────────────────────────────────────────────────────┐ │ │ │ 1. XXXX-XXXX-XXXX 6. XXXX-XXXX-XXXX │ │ │ │ 2. XXXX-XXXX-XXXX 7. XXXX-XXXX-XXXX │ │ │ │ 3. XXXX-XXXX-XXXX 8. XXXX-XXXX-XXXX │ │ │ │ 4. XXXX-XXXX-XXXX 9. XXXX-XXXX-XXXX │ │ │ │ 5. XXXX-XXXX-XXXX 10. XXXX-XXXX-XXXX │ │ │ └─────────────────────────────────────────────────────────┘ │ │ │ │ [📋 Copy] [⬇ Download] [🖨 Print] │ │ │ │ ⚠ You have 10 unused backup codes │ │ │ └─────────────────────────────────────────────────────────────┘
Using Backup Codes
┌─────────────────────────────────────────────────────────────┐ │ Use Backup Code │ ├─────────────────────────────────────────────────────────────┤ │ │ │ Enter one of your backup codes: │ │ │ │ [ ] │ │ │ │ [Verify] │ │ │ │ ⚠ Each backup code can only be used once. │ │ You have 8 remaining backup codes. │ │ │ └─────────────────────────────────────────────────────────────┘
User Management
User 2FA Status
View in Users list:
| User | 2FA Status | Methods | |
|---|---|---|---|
| John | john@… | ✓ Enabled | TOTP |
| Jane | jane@… | ✓ Enabled | Email, TOTP |
| Bob | bob@… | ✗ Not set | – |
Admin Actions
User Profile > Two-Factor Authentication: ├─ View 2FA status ├─ Reset 2FA (user must set up again) ├─ Generate new backup codes ├─ View verification history └─ Disable 2FA for user
Session Management
Remember Device
┌─────────────────────────────────────────────────────────────┐ │ Trust This Device? │ ├─────────────────────────────────────────────────────────────┤ │ │ │ ☑ Don't ask for verification on this device for 30 days │ │ │ │ [Complete Verification] │ │ │ └─────────────────────────────────────────────────────────────┘
Trusted Devices Management
┌─────────────────────────────────────────────────────────────┐ │ Your Trusted Devices │ ├─────────────────────────────────────────────────────────────┤ │ │ │ 🖥 Windows 10 - Chrome 120 │ │ Last used: Today, 2:34 PM │ │ Location: New York, US [Revoke] │ │ │ │ 📱 iPhone 15 - Safari │ │ Last used: Yesterday, 10:15 AM │ │ Location: New York, US [Revoke] │ │ │ │ 💻 MacBook - Firefox 121 │ │ Last used: 5 days ago │ │ Location: Boston, US [Revoke] │ │ │ │ [Revoke All Devices] │ │ │ └─────────────────────────────────────────────────────────────┘
Security Features
Rate Limiting
Verification Attempts: ├─ Max attempts: 5 per 10 minutes ├─ Lockout duration: 30 minutes ├─ Admin notification on lockout: ☑ └─ IP-based tracking: ☑
Audit Logging
┌─────────────────────────────────────────────────────────────┐ │ 2FA Verification Log │ ├─────────────────────────────────────────────────────────────┤ │ Time User Package Method Status │ ├─────────────────────────────────────────────────────────────┤ │ 14:32:05 john Software TOTP ✓ Success │ │ 14:28:12 jane Manual Email ✓ Success │ │ 14:25:44 bob Software TOTP ✗ Failed │ │ 14:25:40 bob Software TOTP ✗ Failed │ │ 14:22:18 alice Templates TOTP ✓ Success │ └─────────────────────────────────────────────────────────────┘
Failed Attempt Notifications
Email to Admin: Subject: Failed 2FA Attempt Alert Multiple failed 2FA attempts detected: User: john@example.com Package: Sensitive Documents Time: 2026-01-15 14:25:44 IP: 192.168.1.100 Method: TOTP Attempts: 3 failures Action: Account temporarily locked for 30 minutes.
Integration with Locks
Combined Security
2FA works with other lock types:
Download Flow: 1. User clicks download 2. Password lock check (if enabled) 3. Email lock check (if enabled) 4. 2FA verification 5. Download starts
Lock Priority
Security Layers (in order): 1. Role-based access check 2. Password lock 3. Email/Social locks 4. 2FA verification 5. Download
Troubleshooting
“Invalid Code”
Causes:
- Time sync issue
- Wrong code entered
- Code expired
Solutions:
- Sync device time (Settings > Date & Time > Automatic)
- Wait for new code
- Use backup code
- Re-scan QR code
Email Not Received
Causes:
- Spam filter
- SMTP not configured
- Wrong email
Solutions:
- Check spam/junk folder
- Verify SMTP settings
- Check email address
- Try resend option
Locked Out
Causes:
- Lost phone
- Deleted authenticator
- No backup codes
Solutions:
- Use backup codes
- Contact admin for reset
- Use email verification
- Admin can disable 2FA
QR Code Not Scanning
Solutions:
- Increase screen brightness
- Use manual code entry
- Try different app
- Generate new QR code
Best Practices
- Always provide backup codes – Users need recovery options
- Use session-based validity – Balance security and UX
- Enable admin bypass – Prevent lockouts during testing
- Monitor failed attempts – Watch for attacks
- Test before enforcing – Roll out gradually
- Document recovery process – Clear instructions for users
Related Documentation
Last updated: January 2026
Applies to: WordPress Download Manager 7.x + 2FA Add-on