Get more infoPhishing& keylogger attacks

Logging In

2FAS plugin divides a default WordPress login process into two steps.

First step

The first step of the login process is the same as original WordPress authentication method. You enter your login or e‑mail and password. This step is based on what you know (login and password). This is the first factor of the two‑factor authentication.

Second step

The second step is based of what you have. You get the 6-digit code and enter it into the login form. There are few channels of getting the verification code:

  1. A mobile application can generate codes.
  2. Backup code can be entered in case there is no access to a phone.
  3. Code can be delivered in a text message.
  4. Code can be delivered via automated voice call.

This is the primary authentication method of the 2FAS plugin. To use it you must install a mobile application which generates codes. If you want to find out how to configure this method please go to the 2FAS Tokens chapter.

Mobile application

We recommend to use our 2FAS Auth mobile app. Below you can find links to download it.

If you do not want to use 2FAS Auth you can install any other application which can generate time-based codes e.g. Google Authenticator.

Login process

After you enter your login and password you must enter the 6-digit code. You do not have to enter it every time you log in. You can add current browser to a trusted devices list by checking Next time don't ask me for the token on this device.


From the tokens login form you can navigate to the first step (Log in to other account) or to alternative authentication methods if you enabled some (Insert your one-time backup code, Request backup code via SMS).

Push notifications

There is an extra feature if you use 2FAS Auth app. You can log in via push notifications. When you log in and do not have a trusted device, you receive a push. You can accept logging in or decline. When you accept it, logging in is going to proceed automatically. You do not have to enter any token.

To configure push notifications scan the QR code in the 2FAS Tokens tab using 2FAS Auth mobile application. Just it. Then you receive a push notification every time you log in on untrusted device.

To provide such method we use Pusher.

Logging in via push notifications is available in the basic plan. It is free.

Offline codes are a backup authentication method. To find out how to configure this method please go to a Backup codes - offline chapter.

This method can be used when there is no access to the phone paired with a WordPress account. There is a limited number of offline codes which decrements every time you log in via this method.

To log in via offline code navigate to an alternative login form by clicking the Insert you one-time backup code link in the navigation.

In case you do not have access to a mobile application, you can use an alternative authentication method. You can receive a text message with the code. If you want to find out how to configure this method please go to a Backup codes - SMS/VMS chapter.

Login process

Logging in via text message code is very similar to the tokens method. Firstly navigate to alternative login form (Request backup code via SMS link). To log in you enter the 6-digit code. In case you did not receive a text message, you can resend it.


Below the login form you can find navigation links. You can go back to logging in via tokens (Back to previous page) or go to the next backup method which is a voice call (Request backup code via call).

This method is almost the same as logging in via text messages. You receive a phone call and the code is being dictated.

To log in via voice call navigate to voice call login form from SMS form (Request backup code via call). If you do not receive any call, you can make a call again.