=== Brightery Secure 2FA === Contributors: brighterycom Tags: 2fa, security, authentication Requires at least: 6.2 Tested up to: 6.9 Stable tag: 1.0.0 Requires PHP: 7.4 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html Production-focused two-factor authentication for WordPress with authenticator apps, passkeys, forced enrollment, and advanced session hardening. == Description == Brightery Secure 2FA adds a strong second login step for WordPress accounts while staying lightweight in runtime. Features: * Authenticator app (TOTP) support. * Passkeys / WebAuthn support for Touch ID, Face ID, Windows Hello, fingerprint readers, and device PIN. * Role-based enforcement: require selected user groups to enroll. * Forced enrollment page to block protected users until they configure security. * Backup codes. * Encrypted TOTP secret storage using WordPress salts. * Login throttling for repeated primary-login and second-factor failures. * Lightweight audit logs stored inside WordPress options. * Email alerts for enrollment changes and lockouts. * Trusted devices so users can skip 2FA on approved browsers for a limited period. * CSV export for security logs. * Advanced log filters and search. * Custom labels for trusted devices and passkeys. * Optional revocation of other sessions after security changes. * Optional blocking of WordPress application passwords for protected / 2FA-enabled users. * Lightweight runtime: the plugin mostly runs on login, profile, AJAX, settings pages, WooCommerce account pages, and authenticated REST requests. == Important Notes == * HTTPS is required for passkeys in production. * This build is optimized for normal interactive WordPress logins and admin access enforcement. * Passkey attestation trust-chain validation is intentionally not enforced in order to remain lightweight and dependency-free. The plugin still validates challenge, origin, RP ID hash, user presence, optional user verification, signature, and signature counter. * This lightweight build supports ES256 passkeys. * TOTP setup includes a local QR-code renderer so the setup secret stays on your own WordPress site during enrollment. * The plugin stores account-security data such as trusted-device records, passkey metadata, security logs, and a limited recent login-context history. * A privacy-policy suggestion plus WordPress personal-data exporter and eraser integrations are included. * There are no non-GPL third-party runtime libraries bundled with this plugin; the distributed JavaScript and CSS files are included as human-readable source. == Installation == 1. Upload the ZIP in WordPress Plugins > Add New > Upload Plugin. 2. Activate "Brightery Secure 2FA". 3. Go to Settings > Brightery Secure 2FA. 4. Select allowed methods and the user roles that must use 2FA. 5. Ask each protected user to finish setup from Profile or 2FA Setup. == Security Model == * TOTP secrets are encrypted before storing in user meta. * Backup codes are stored hashed. * Passkeys verify origin, RP ID hash, challenge, signature, and signature counter. * Rate limiting helps slow repeated login and 2FA guessing attempts. * The plugin can require passkey user verification for biometric/PIN-backed sign-in. == Privacy == Brightery Secure 2FA stores security-related account data so it can protect logins and help administrators investigate suspicious access. The plugin adds suggested privacy-policy text to WordPress and registers personal-data exporter/eraser callbacks for the data it stores. == Source Code and Licensing == * All distributed plugin PHP, JS, and CSS files are included as human-readable source. * The local QR renderer is bundled directly in `assets/js/bs2fa-qr.js` as readable source code. * No non-GPL runtime libraries are required for normal plugin operation. == Changelog == = 1.0.0 = * Initial release.