OTP with Multisite may not work

[javiercasares]

Is your enhancement related to a problem? Please describe.

In some cases, the OPT option won't work with WordPress Multisite.

OTP usually uses the hostname to create the value, and WP Multisite allows having multiple hostname (subdomains or full different domains) and, if you create the access in one site, it doesn't work with the other.

As creating a different QR/config for each site is not a reallity, maybe the opton to disable the OTP option when Multisite may be the option.

This also may not work with FIDO.

Email, for example, works fine.

Proposed Solution

When Multisite (or always) having the option for admins to allow / disallow some 2FA options.

In the case is a Multisite, explain the possibility that OTP/FIDO may not work.

Designs

No response

Describe alternatives you've considered

No response

Please confirm that you have searched existing issues in this repository.

Yes

[dd32]

OTP usually uses the hostname to create the value

Assuming you're referring to TOTP here, the hostname is included in the description, but is not used within the validation flow for it. The Key is per-user, but not per-hostname.

[kasparsd]

It should be only FIDO U2F which locks the secret to a hostname but that is being removed soon due to #423.

The TOTP secret is stored in user meta:

two-factor/providers/class-two-factor-totp.php

Lines 431 to 433 in 88b503c

	public function set_user_totp_key( $user_id, $key ) {
	return update_user_meta( $user_id, self::SECRET_META_KEY, $key );
	}

which is a global table shared across all sites on the network. I'm personally using the same TOTP key on all my sites of a multisite.