Interesting, since the login itself is the only thing being regulated, i am curious if userA logs in as admin using the 2FA number, then userB logs in under the same account and userA gives them the code from their phone.  Then you have two users under the same account.

I use 2FA for alot of my stuff and i suppose if i gave out the code when they logged in it might work.  It would be interesting to test but would have to be on two dif ip.  I dont think using just two dif browsers would be a sufficient test.

correct, its one use for userA and one use for userB and userC ..... and so on    as long as the current code value is shared with whoever needs it, i think it would be possible.

So yes 2FA is very secure if you dont give people codes, but lets say that two friends want to log into admin, the current code can be input, then another code can be shared and input for the second login.  I think that would work.

yes you are right of course however i was looking at it not from a how it works now but how could it work if a admin wanted to let his friend login as admin as well.  And i am talking in general 2FA terms not specifically how this plugin works or does not work.

I currently use two types of 2FA - google authenticator and the instant message version.

I wont go into how each works as most know it and if not there is a youtube of it.  Im sure you are well aware of both.

For both the security lies in the fact that a cell phone of the user is involved for authenication but that can also be bad if you lose your phone or the phone number for some reason.

Since the phone is involved, here is how one might do it IF they wanted their friend to log in to their account at the same time.

User A - logs in gets the code from the phone and finishes the log in.

UserB  - 1 min later from a different location, logs into the same website and regardless of which 2FA they use, calls userA  on the phone and says hey whats your code, (because now userA has a new message with a new code) UserA gives them the code and userB then finishes the login and both are logged in at the same time.

What 2FA does not do is check to see if the user is already logged in to the site and if so it refuses the new code instant message.

Correct :)  which can be stored using cookies or session or db storage. Then just checking OW::getUser()->isAuthenticated( )  upon login. Those stored values can be used for extra validation. Although cookies is not really secure.

Thxs Dave

If i can, do you know of any plugins or a way to easily create video playlist's?

Again thxs Dave.  Be well to you and yours.