The Two-Factor module provides a number of developer APIs to customize behavior beyond the options exposed in the module's configuration page.
Hooks and Filters
Limit Allowed Two-Factor Methods
By default, a user can choose to use any of the enabled Two-Factor methods. By using the itsec_two_factor_allowed_providers_for_user filter the methods can be limited on a per-user basis. For example, the following code snippet restricts non-administrator users to using the Email Two-Factor method.
add_filter( 'itsec_two_factor_allowed_providers_for_user', function ( $providers, WP_User $user ) {
if ( ! $user->has_cap( 'manage_options' ) ) {
return [ \Two_Factor_Email::class ];
}
return $providers;
}, 10, 2 );
If a user has no allowed providers, the Two-Factor settings interface will be hidden from their WordPress profile.
Limit Available Two-Factor Methods
The Require Two Factor, Vulnerable User Protection, and Vulnerable Site Protection features can be used to enable Two-Factor for a user even if they haven't configured Two-Factor for themselves. When this is the case, the Email Two-Factor method will automatically be added to the list of available providers for a user, regardless of if it is excluded with the itsec_two_factor_allowed_providers_for_user filter.
If this behavior isn't desired, for example you wish to completely disable Two-Factor for certain users, but still want to keep the Vulnerable User Protection and Vulnerable Site Protection features enabled, return an empty array of providers.
add_filter( 'itsec_two_factor_available_providers_for_user', function ( $providers, WP_User $user ) {
if ( ! $user->has_cap( 'manage_options' ) ) {
return [];
}
return $providers;
}, 10, 2 );
When using this filter to disable all Two-Factor methods for a user, make sure to also return an empty list from the itsec_two_factor_allowed_providers_for_user filter. Otherwise, the settings interface will not be hidden from the user. In other words, whenever limiting the available Two-Factor methods for a user make sure those methods are also not allowed.