Option to disable email authentication

[truquete]

In some situations, it might be desirable to disable the email authentication fall-back. This means that I would like to allow my users to authenticate only via Google Authenticator, and I would like the link "email verification code" to be disabled.

Why I would like this? Imagine the following scenario (not uncommon)

• user uses the same username and password for his hotmail account and joomla site.
• someone obtains the joomla password of the user via some keylogger or shoulder surfing.
• The user authenticates via the Google Authenticator, logs in, and believes he's safe
• The hacker logs in later into the Joomla Site, and when prompted, requests the verification code to be send to his email account. The hacker logs into his hotmail account and retrieves the code.

In essense, the email code is not that secure, because it is not "something that you have", as the two factor authentication stipulates. It is convenient and it might be an acceptable compromise to some people. But to those looking for a true 2FA, it would be great if there were a simple checkbox to disable this. The fallback should really be "something that you have". Google does this via one-time codes, second cell phone numbers, etc. But an email is not really something that you have, but rather another thing that you know (the password for the second authentication method). If the hacker knows both things, the account is compromised.

Once again, I'm not against the email fall back. It might be great in some situations. But please add an option to disable it if desired.

Million thanks for the great extension.

[mManishTrivedi]

Got it your scenario. We will add configuration in plugin parameter. Thanks for your greatness.

[mManishTrivedi]

I have done this job. Its will test and will be released.