Setup Onboarding Login-Flow (for Enforce 2FA)

[masteradhoc]

Is your enhancement related to a problem? Please describe.

Currently, Two-Factor configuration exists only as a section within the WordPress “Edit Profile” screen. There are plans to make this settings screen portable for other plugins (e.g., WooCommerce) via #335.

When Enforce 2FA becomes available through a settings option (see #255) or via a filter, users who have not yet configured Two-Factor will effectively be pushed to the default WordPress profile edit screen.

This is suboptimal for several reasons:

• The profile screen contains many unrelated fields and options (name, email, bio, etc.).
• There is no clear indication that the user is there specifically because 2FA enrollment is required.
• The experience is not structured or guided.
• It creates friction and confusion during login.

This can result in:

• Users believing they are stuck on the profile edit page without understanding why.
• Users overlooking the 2FA section entirely.
• Increased support requests.
• A forced security policy without proper UX enforcement.

In short, enforcing 2FA without a dedicated enrollment flow creates a fragmented and confusing authentication experience.

Proposed Solution

We need a dedicated login-time 2FA onboarding flow that is triggered automatically when:

• Enforce 2FA is active, and
• The user has no configured 2FA methods.

Instead of redirecting users to the generic profile page, the system should:

1. Intercept the login process after successful username/password validation.
2. Detect missing 2FA configuration.
3. Redirect the user to a dedicated 2FA setup wizard.
4. Block access to wp-admin (or frontend-protected areas) until setup is complete.

This flow should:

• Be focused exclusively on 2FA setup.
• Clearly explain why the user is seeing this screen.
• Guide users step-by-step through method selection and configuration.
• Prevent bypass until enrollment is completed (unless explicitly allowed by policy).

This ensures that “Enforce 2FA” truly behaves as a security boundary, not just a soft requirement hidden inside profile settings.

Designs

After entering username and password, if 2FA enrollment is required, users should see a dedicated onboarding screen such as:

LearnDash	..
	TBA

Describe alternatives you've considered

No response

Please confirm that you have searched existing issues in this repository.

Yes

[TimothyBJacobs]

I strongly agree we need a solution like this in place.

Also a note about your screenshot, while that is on the Learndash website, that's actually the UI I built for Solid Security which Learndash.com is running. The plugin is on the .org repo, so you can see that UI in action.

I think the complicator here, is that enforcing things in the login flow is complicated to do correctly. I ended up building what I called a login interstitial framework to facilitate this and other login requirements. Perhaps a simpler/modern version of that library could be built for Core.