Challenging users

When the addon is enabled, users will be challenged when logging in to the Statamic Control Panel.

This occurs after logging in with their email address (username) and password, but before they can access the Control Panel.

Using a one-time code

Users can use a valid one-time code from their authenticator app. These will be refreshed every 30 seconds.

Using a recovery code

Users can also switch to the recovery code view, and provide one of their emergency recovery codes.

When a recovery code is successfully used, the user will be sent an email advising them of this, and to update their recovery codes.

The used recovery code will be removed from the user's account and replaced with a new recovery code. These codes are not sent via email, and do require the user log in to their account to see their recovery codes.

Locking users out

After a number of failed attempts (you can configure this), the user account will be locked. They will not be able to log in to the Control Panel until their account is unlocked.

This could be by an Admin user via the Control Panel, or if you are running with a single user, you would need code/server level access to unlock the user.

The number of failed attempts is automatically reset to zero following a successful challenge, and will increment again on their next challenge attempts.