Is your enhancement related to a problem? Please describe.

Problem / Motivation

Currently, the Email TOTP method is activated immediately when enabled, without verifying that the configured email address can actually receive authentication codes. This can lead to account lockouts or failed logins if the email delivery is misconfigured, blocked, or incorrect.

In contrast, the app-based TOTP flow already includes an explicit verification step: users must scan the QR code and enter a generated token before the method becomes active. This aims to improve UX consistency between Email TOTP and app-based TOTP.

This proposed solution has been discussed in the Two-Factor Chat on Slack at 4th of February. See more here.

Proposed Solution

Change the Email TOTP activation flow so that it is only activated after successful verification, i.e. after the user has received and entered at least one verification code.

Suggested behavior:

1. User goes /wp-admin/profile.php
2. Email TOTP is not yet active.
3. User must click “Verify your e-mail adress"
4. User receives the code over email
5. User enteres it on the edit profile page
6. After successful verification Email TOTP is activated.

Backwards Compatibility
We need to make sure there is no impact on existing verified email totp setups.

Designs

The example below serves as draft to see how this potentially could look like

Describe alternatives you've considered

stick to current version

Please confirm that you have searched existing issues in this repository.

Yes