WPHammer
Log in
  • Recovery codes
  • Signing in with 2FA
  • Disabling 2FA
  • Fortify configuration
  • Related

    • Two-Factor Authentication

    WPHammer supports time-based one-time password (TOTP) two-factor authentication, powered by Laravel Fortify. When enabled, you need both your password and a code from your authenticator app to sign in.

    Enabling 2FA

    Two-factor authentication is managed from /settings/two-factor. The setup flow:

    1. Click the enable button to start setup
    2. The TwoFactorSetupModal component generates a QR code and manual setup key
    3. Scan the QR code with your authenticator app (Google Authenticator, Authy, 1Password, etc.)
    4. Enter the 6-digit verification code from your app to confirm setup
    5. Once confirmed, 2FA is active on your account

    The setup modal displays the QR code with automatic dark mode inversion for readability. If you cannot scan the QR code, a manual setup key is available with a copy-to-clipboard button.

    Confirmation requirement

    Fortify is configured with confirm: true and confirmPassword: true, meaning:

    • You must enter a valid TOTP code during setup to confirm the authenticator is working
    • Password confirmation is required before enabling 2FA

    If setup is abandoned before confirmation, the unconfirmed 2FA configuration is automatically cleaned up on the next page visit.

    Recovery codes

    When 2FA is enabled, WPHammer generates a set of one-time recovery codes. These codes can be used instead of a TOTP code if you lose access to your authenticator app.

    The RecoveryCodes component lets you:

    • View codes — toggle visibility of your recovery codes
    • Regenerate codes — generate a fresh set, invalidating all previous codes

    Recovery codes are stored encrypted in the database (two_factor_recovery_codes field). Each code can only be used once.

    Store your recovery codes in a secure location. If you lose both your authenticator device and your recovery codes, you will not be able to access your account.

    Signing in with 2FA

    When 2FA is active, the sign-in flow adds a challenge step after password verification:

    1. Enter your email and password as usual
    2. The two-factor-challenge view prompts for a TOTP code or recovery code
    3. Enter the 6-digit code from your authenticator app
    4. If you do not have your device, use a recovery code instead

    The two-factor challenge is rate-limited to 5 attempts per minute per session.

    Disabling 2FA

    You can disable 2FA from the settings page using the danger button. Disabling removes the TOTP secret and recovery codes from your account. You can re-enable it at any time by going through the setup flow again.

    Fortify configuration

    The two-factor feature is enabled in config/fortify.php:

    Features::twoFactorAuthentication([
    'confirm' => true,
    'confirmPassword' => true,
]),

    Rate limiting is applied to the two-factor challenge endpoint — 5 requests per minute, keyed by the session's login.id.

    Related