Problem

The Two Factor plugin currently works on a voluntary, per-user basis — each user must opt in to configure a second factor themselves. There is no built-in way for a site administrator to require that users in certain roles have 2FA configured before they can access the site.

This gap is consistently the most-requested missing feature in the plugin, surfacing repeatedly across both GitHub and the support forum:

• The support forum has recurring threads asking how to enable 2FA by default for all users or for specific roles (e.g. "Can I by default turn on this feature for all my existing and for new users"
• PR Optionally Force 2fa #239 ("Optionally Force 2FA"), open since 2018, demonstrates sustained community interest — it has 19 👍 reactions and active discussion as recently as March 2026
• WordPress.org itself has enforced 2FA for privileged accounts on make.wordpress.org and plugin/theme committers, signalling this is the direction the ecosystem is heading
• Third-party plugins have made role-based enforcement a headline feature, confirming real demand that the official plugin doesn't currently serve

In the meantime, developers have been working around the gap using the two_factor_enabled_providers_for_user filter see #307 (comment)

Proposed solution

Add a settings UI (within the existing plugin settings page) that allows administrators to select which user roles require 2FA.

Out of scope for this issue

The new onboarding wizard (tracked in #813) is a separate concern. This issue focuses only on the settings option and the enforcement logic. Any integration with the wizard UI can be handled as a follow-up.

Prior art

• PR Optionally Force 2fa #239 — the original implementation from Human Made, which has been in active use in the [humanmade/two-factor fork](https://github.com/humanmade/two-factor) for years
• WordPress VIP — ships role/capability-based enforcement via wpcom_vip_is_two_factor_forced and vip_wsc_forced_mfa_users_additional_capabilities
• WP 2FA plugin — enforcement by role with grace periods is its primary differentiating feature