Hi @nettpro, thanks for getting in touch.
If a WordPress administrator’s email account was ever compromized with 2FA configured to it, an attacker would be able to reset their password and get 2FA codes for their site so it’s no longer two factors. I understand why people may distrust certain high-profile app providers, but there are increasingly more to choose from, and only having a code available from a single physical device is preferable.
We are currently looking into feasibility and user-demand for further security measures like hardware keys and/or passkeys, although I can’t comment on development progress or release dates here on the forums.
Thanks,
Peter.
Indeed it would be bad if an attacker got access to the email account. That would also be true if anybody else got hold of your cellphone? I just though it would be nice to have the ability to both give a password and maybe an email link? Like it is today, since I do not use cellphones, it only work with one password.
I do understand it is not possible to satisfy everybody wishes. Will check if there is other plugins who support authentication via mail. 🙂 Thank you for the feedback.
