Title: ryan.boder's Replies | WordPress.org

---

# ryan.boder

  [  ](https://wordpress.org/support/users/ryanboder/)

 *   [Profile](https://wordpress.org/support/users/ryanboder/)
 *   [Topics Started](https://wordpress.org/support/users/ryanboder/topics/)
 *   [Replies Created](https://wordpress.org/support/users/ryanboder/replies/)
 *   [Reviews Written](https://wordpress.org/support/users/ryanboder/reviews/)
 *   [Topics Replied To](https://wordpress.org/support/users/ryanboder/replied-to/)
 *   [Engagements](https://wordpress.org/support/users/ryanboder/engagements/)
 *   [Favorites](https://wordpress.org/support/users/ryanboder/favorites/)

 Search replies:

## Forum Replies Created

Viewing 3 replies - 1 through 3 (of 3 total)

 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[WP 2FA - Two-factor authentication for WordPress] Documentation for the WP 2FA REST API?](https://wordpress.org/support/topic/documentation-for-the-wp-2fa-rest-api/)
 *  Thread Starter [ryan.boder](https://wordpress.org/support/users/ryanboder/)
 * (@ryanboder)
 * [9 months, 1 week ago](https://wordpress.org/support/topic/documentation-for-the-wp-2fa-rest-api/#post-18615936)
 * So it is integrated with login on the server side but only with standard WP cookie-
   based authentication. Correct?
 * It sounds like this new endpoint would only work with a normal WP site, not with
   a headless WP site (where the frontend is hosted on a different server/origin).
   A headless WP site would typically use some kind of token-based like authentication(
   oAuth or JWT) for cross-origin requests instead of cookie-based authentication.
 * I was hoping it would be applicable to headless WP sites.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[WP 2FA - Two-factor authentication for WordPress] Documentation for the WP 2FA REST API?](https://wordpress.org/support/topic/documentation-for-the-wp-2fa-rest-api/)
 *  Thread Starter [ryan.boder](https://wordpress.org/support/users/ryanboder/)
 * (@ryanboder)
 * [9 months, 2 weeks ago](https://wordpress.org/support/topic/documentation-for-the-wp-2fa-rest-api/#post-18606915)
 * I’m not asking for stack-specific, step-by-step guidance. I’m asking how to use
   the endpoint securely, in general, from the browser.
 * 2FA typically works like 1) verify username & password, then 2) verify 2FA code.
   Let’s say we’re using a JWT authentication plugin that has a REST endpoint for
   verifying username & password and responds with a JWT access token. We request
   that endpoint from the browser and successfully verify username & password. Should
   the user be logged in at that point? No, because they haven’t verified the 2FA
   code yet. So they shouldn’t get an access token yet. They need to pass 2FA first.
 * But we can’t enforce the extra 2FA step in the browser. That would allow the 
   user to just run some JS code to work around it. 2FA needs to be combined with
   the username/password verification and enforced in the server.
 * It seems to me like your 2FA plugin would need to be integrated with the JWT 
   authentication in the server. Is that correct? If so, can you share a generic
   example (not code just a high level flow) how this new endpoint can be used to
   implement 2FA securely in a headless WP?
 * If we have to integrate WP 2FA with the JWT plugin ourselves in the server, are
   there functions and hooks available in WP 2FA for this? Can you share which ones?
    -  This reply was modified 9 months, 2 weeks ago by [ryan.boder](https://wordpress.org/support/users/ryanboder/).
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[WP 2FA - Two-factor authentication for WordPress] Documentation for the WP 2FA REST API?](https://wordpress.org/support/topic/documentation-for-the-wp-2fa-rest-api/)
 *  Thread Starter [ryan.boder](https://wordpress.org/support/users/ryanboder/)
 * (@ryanboder)
 * [9 months, 3 weeks ago](https://wordpress.org/support/topic/documentation-for-the-wp-2fa-rest-api/#post-18599311)
 * Thanks! I’m not sure I understand how to use it though. We’re building a headless
   WP/WC site and trying to figure out how to do 2FA at login. We’re assuming logging
   in from the frontend site will use a JWT plugin such as [this](https://wordpress.org/plugins/jwt-authentication-for-wp-rest-api/)
   or [this](https://wordpress.org/plugins/cocart-jwt-authentication/).
 * I see that we can use your new endpoint to check whether a 2FA token is valid
   but if we do the 2FA test in the browser then it could easily be subverted. We
   would need the 2FA test to happen in the server and the JWT plugin to not provide
   an access token unless a valid 2FA token has been sent along with the username
   and password.
 * How could we incorporate WP 2FA into the login using this new endpoint?

Viewing 3 replies - 1 through 3 (of 3 total)