Documents / Sentinel Security / Features

Email Authentication (OTP)

Published: 2026.03.18 Updated: 2026.03.20 As of v1.5.29

Email Authentication (OTP)

Email Authentication is a two-factor authentication feature that requires users to enter a one-time password (OTP) sent to their registered email address after logging in with their password.

Why Two-Factor Authentication Matters

Single-factor authentication (password only) carries the following risks:

  • Password leaks due to reuse across services
  • Credential theft via phishing sites
  • Password exposure by insiders
With two-factor authentication, even if your password is compromised, login is impossible without access to the email account. SentinelSecurity's email authentication requires no dedicated app installation, making it easy to use even for non-technical users.

Authentication Flow

  1. The user logs in with their username and password as usual
  2. If the password is correct, a 6-digit one-time code is sent via email
  3. An OTP input screen is displayed (with a countdown timer)
  4. The user enters the code received by email
  5. If the code is correct, login is completed

Settings

SettingDescriptionDefault
ExpirationOTP validity period10 minutes
Target RolesUser roles that require OTPAdministrator
Excluded UsersSpecific users exempt from OTPNone
Max AttemptsMaximum OTP entry attempts3
Resend CooldownWaiting period before OTP can be resent60 seconds

Configuration

  1. Navigate to SentinelSecurityLogin SecurityEmail Authentication (OTP)
  2. Toggle the switch to Enabled
  3. Select the target roles
  4. Set the expiration and max attempts
  5. Click Save

Selecting Target Roles

Choose which roles require OTP based on your site's operational needs.

Recommended Settings

Site TypeRecommended Target Roles
Personal BlogAdministrator only
Business SiteAdministrator + Editor
E-commerce / Membership SiteAdministrator only (exclude regular members)
Regular members and subscribers typically should not be required to complete OTP for every login, as it significantly degrades the user experience.

Email Template Customization (Pro)

The Pro version allows you to customize the subject and body of OTP notification emails.

Available Template Variables

VariableContent
[code]One-time password (6 digits)
[expires_at]Expiration date and time
[username]Login username
[site_name]Site name
[site_url]Site URL
[ip_address]Login source IP address
[timestamp]Login attempt date and time

Customization Steps

  1. Navigate to SentinelSecurityEmail Notification Settings
  2. Set the email format to HTML
  3. Edit the subject and body using the TinyMCE editor
  4. Insert template variables with a single click from the buttons on the left

Security Considerations

  • OTP codes are single-use. Once used, they become invalid
  • Expired codes cannot be used
  • Login attempts with IP address mismatches are logged
  • Exceeding the maximum OTP attempts invalidates the session

Troubleshooting

OTP Email Not Received

  • Verify that WordPress email sending is functioning correctly
  • Check the SMTP settings used by wp_mail()
  • Check whether the email is being filtered to the spam folder
  • Using a plugin such as WP Mail SMTP to improve email delivery reliability is recommended

"Invalid Code" Error After Entering the Code

  • Verify that you are entering the code within the validity period
  • Check that there are no leading or trailing spaces in the code
  • Use the resend button to request a new code and try again