=== Brightery Secure 2FA ===
Contributors: brighterycom
Tags: 2fa, security, authentication
Requires at least: 6.2
Tested up to: 6.9
Stable tag: 1.0.0
Requires PHP: 7.4
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Production-focused two-factor authentication for WordPress with authenticator apps, passkeys, forced enrollment, and advanced session hardening.

== Description ==

Brightery Secure 2FA adds a strong second login step for WordPress accounts while staying lightweight in runtime.

Features:

* Authenticator app (TOTP) support.
* Passkeys / WebAuthn support for Touch ID, Face ID, Windows Hello, fingerprint readers, and device PIN.
* Role-based enforcement: require selected user groups to enroll.
* Forced enrollment page to block protected users until they configure security.
* Backup codes.
* Encrypted TOTP secret storage using WordPress salts.
* Login throttling for repeated primary-login and second-factor failures.
* Lightweight audit logs stored inside WordPress options.
* Email alerts for enrollment changes and lockouts.
* Trusted devices so users can skip 2FA on approved browsers for a limited period.
* CSV export for security logs.
* Advanced log filters and search.
* Custom labels for trusted devices and passkeys.
* Optional revocation of other sessions after security changes.
* Optional blocking of WordPress application passwords for protected / 2FA-enabled users.
* Lightweight runtime: the plugin mostly runs on login, profile, AJAX, settings pages, WooCommerce account pages, and authenticated REST requests.

== Important Notes ==

* HTTPS is required for passkeys in production.
* This build is optimized for normal interactive WordPress logins and admin access enforcement.
* Passkey attestation trust-chain validation is intentionally not enforced in order to remain lightweight and dependency-free.
The plugin still validates challenge, origin, RP ID hash, user presence, optional user verification, signature, and signature counter.
* This lightweight build supports ES256 passkeys.
* TOTP setup includes a local QR-code renderer so the setup secret stays on your own WordPress site during enrollment.
* The plugin stores account-security data such as trusted-device records, passkey metadata, security logs, and a limited recent login-context history.
* A privacy-policy suggestion plus WordPress personal-data exporter and eraser integrations are included.
* There are no non-GPL third-party runtime libraries bundled with this plugin;
the distributed JavaScript and CSS files are included as human-readable source.

== Installation ==

1. Upload the ZIP in WordPress Plugins > Add New > Upload Plugin.
2. Activate "Brightery Secure 2FA".
3. Go to Settings > Brightery Secure 2FA.
4. Select allowed methods and the user roles that must use 2FA.
5. Ask each protected user to finish setup from Profile or 2FA Setup.

== Security Model ==

* TOTP secrets are encrypted before storing in user meta.
* Backup codes are stored hashed.
* Passkeys verify origin, RP ID hash, challenge, signature, and signature counter.
* Rate limiting helps slow repeated login and 2FA guessing attempts.
* The plugin can require passkey user verification for biometric/PIN-backed sign-in.

== Privacy ==

Brightery Secure 2FA stores security-related account data so it can protect logins and help administrators investigate suspicious access.
The plugin adds suggested privacy-policy text to WordPress and registers personal-data exporter/eraser callbacks for the data it stores.

== Source Code and Licensing ==

* All distributed plugin PHP, JS, and CSS files are included as human-readable source.
* The local QR renderer is bundled directly in `assets/js/bs2fa-qr.js` as readable source code.
* No non-GPL runtime libraries are required for normal plugin operation.

== Changelog ==

= 1.0.0 =
* Initial release.
