MemberMode’s Two-factor module ships in the free plugin. It implements RFC 6238 TOTP (the same protocol used by Google Authenticator, 1Password, Authy, Bitwarden, and every other authenticator app) — no external services, no API calls, no per-user fees.
Make sure the module is on
Go to MemberMode → Modules. The “Two-factor” card should be enabled (it’s on by default for new installs). If you turned it off earlier, flip it back on.
How members enroll
Once the module is on, each member can opt-in from their account:
- Member visits their account page (e.g.
/account/security/). - Scans the QR code with their authenticator app.
- Confirms with a 6-digit code.
- Saves the recovery codes shown after enrollment.
After enrollment, the member is prompted for a TOTP code on every login — both wp-login.php and the MemberMode frontend login.
Enforce 2FA by role
Open MemberMode → Settings → Security. The “Two-factor authentication” card lists every WordPress role with a toggle. Turn on a role to require its members to enroll in 2FA before they can do anything else on the site.
Members in enforced roles see a one-time enrollment screen on their next login. Until they finish enrollment, they can’t access the dashboard or any restricted content.
Recovery codes
Members get 10 single-use recovery codes after enrollment. They can regenerate the set from their account page at any time (the old set is invalidated). If a member loses both their device and recovery codes, an admin can reset 2FA from wp-admin → Users → Edit User → Reset two-factor authentication.
Pro: passkeys, SMS, trusted devices
The free plugin covers TOTP only. MemberMode Pro adds WebAuthn / FIDO2 passkeys, SMS codes, and trusted-device cookies that let frequent users skip the 2FA prompt for 30 days.