WordPress · kasparsd · Jan 21, 2026 · Dec 19, 2025 · Dec 19, 2025 · Dec 23, 2025
diff --git a/providers/class-two-factor-backup-codes.php b/providers/class-two-factor-backup-codes.php
@@ -356,11 +356,14 @@ public function authentication_page( $user ) {
 		$code_placeholder = str_repeat( 'X', $code_length );
 
 		?>
+		<?php do_action( 'two_factor_before_authentication_prompt', $this ); ?>
 		<p class="two-factor-prompt"><?php esc_html_e( 'Enter a recovery code.', 'two-factor' ); ?></p>
+		<?php do_action( 'two_factor_after_authentication_prompt', $this ); ?>
 		<p>
 			<label for="authcode"><?php esc_html_e( 'Recovery Code:', 'two-factor' ); ?></label>
 			<input type="text" inputmode="numeric" name="two-factor-backup-code" id="authcode" class="input authcode" value="" size="20" pattern="[0-9 ]*" placeholder="<?php echo esc_attr( $code_placeholder ); ?>" data-digits="<?php echo esc_attr( $code_length ); ?>" />
 		</p>
+		<?php do_action( 'two_factor_after_authentication_input', $this ); ?>
 		<?php
 		submit_button( __( 'Verify', 'two-factor' ) );
 	}

diff --git a/providers/class-two-factor-dummy.php b/providers/class-two-factor-dummy.php
@@ -43,7 +43,10 @@ public function get_label() {
 	public function authentication_page( $user ) {
 		require_once ABSPATH . '/wp-admin/includes/template.php';
 		?>
+		<?php do_action( 'two_factor_before_authentication_prompt', $this ); ?>
 		<p><?php esc_html_e( 'Are you really you?', 'two-factor' ); ?></p>
+		<?php do_action( 'two_factor_after_authentication_prompt', $this ); ?>
+		<?php do_action( 'two_factor_after_authentication_input', $this ); ?>
 		<?php
 		submit_button( __( 'Yup.', 'two-factor' ) );
 	}

diff --git a/providers/class-two-factor-email.php b/providers/class-two-factor-email.php
@@ -327,12 +327,15 @@ public function authentication_page( $user ) {
 
 		require_once ABSPATH . '/wp-admin/includes/template.php';
 		?>
+		<?php do_action( 'two_factor_before_authentication_prompt', $this ); ?>
 		<p class="two-factor-prompt"><?php esc_html_e( 'A verification code has been sent to the email address associated with your account.', 'two-factor' ); ?></p>
+		<?php do_action( 'two_factor_after_authentication_prompt', $this ); ?>
 		<p>
 			<label for="authcode"><?php esc_html_e( 'Verification Code:', 'two-factor' ); ?></label>
 			<input type="text" inputmode="numeric" name="two-factor-email-code" id="authcode" class="input authcode" value="" size="20" pattern="[0-9 ]*" autocomplete="one-time-code" placeholder="<?php echo esc_attr( $token_placeholder ); ?>" data-digits="<?php echo esc_attr( $token_length ); ?>" />
-			<?php submit_button( __( 'Verify', 'two-factor' ) ); ?>
 		</p>
+		<?php do_action( 'two_factor_after_authentication_input', $this ); ?>
+		<?php submit_button( __( 'Verify', 'two-factor' ) ); ?>
 		<p class="two-factor-email-resend">
 			<input type="submit" class="button" name="<?php echo esc_attr( self::INPUT_NAME_RESEND_CODE ); ?>" value="<?php esc_attr_e( 'Resend Code', 'two-factor' ); ?>" />
 		</p>

diff --git a/providers/class-two-factor-fido-u2f.php b/providers/class-two-factor-fido-u2f.php
@@ -179,7 +179,10 @@ public function authentication_page( $user ) {
 		wp_enqueue_script( 'fido-u2f-login' );
 
 		?>
+		<?php do_action( 'two_factor_before_authentication_prompt', $this ); ?>
 		<p><?php esc_html_e( 'Now insert (and tap) your Security Key.', 'two-factor' ); ?></p>
+		<?php do_action( 'two_factor_after_authentication_prompt', $this ); ?>
+		<?php do_action( 'two_factor_after_authentication_input', $this ); ?>
 		<input type="hidden" name="u2f_response" id="u2f_response" />
 		<?php
 	}

diff --git a/providers/class-two-factor-totp.php b/providers/class-two-factor-totp.php
@@ -687,13 +687,16 @@ public function is_available_for_user( $user ) {
 	public function authentication_page( $user ) {
 		require_once ABSPATH . '/wp-admin/includes/template.php';
 		?>
+		<?php do_action( 'two_factor_before_authentication_prompt', $this ); ?>
 		<p class="two-factor-prompt">
 			<?php esc_html_e( 'Enter the code generated by your authenticator app.', 'two-factor' ); ?>
 		</p>
+		<?php do_action( 'two_factor_after_authentication_prompt', $this ); ?>
 		<p>
 			<label for="authcode"><?php esc_html_e( 'Authentication Code:', 'two-factor' ); ?></label>
 			<input type="text" inputmode="numeric" autocomplete="one-time-code" name="authcode" id="authcode" class="input authcode" value="" size="20" pattern="[0-9 ]*" placeholder="123 456" autocomplete="one-time-code" data-digits="<?php echo esc_attr( self::DEFAULT_DIGIT_COUNT ); ?>" />
 		</p>
+		<?php do_action( 'two_factor_after_authentication_input', $this ); ?>
 		<script type="text/javascript">
 			setTimeout( function(){
 				var d;

diff --git a/readme.txt b/readme.txt
@@ -33,6 +33,9 @@ Here is a list of action and filter hooks provided by the plugin:
 - `two_factor_email_token_length` filter overrides the default 8 character count for email tokens.
 - `two_factor_backup_code_length` filter overrides the default 8 character count for backup codes. Provides the `WP_User` of the associated user as the second argument.
 - `two_factor_rest_api_can_edit_user` filter overrides whether a user’s Two-Factor settings can be edited via the REST API. First argument is the current `$can_edit` boolean, the second argument is the user ID.
+- `two_factor_before_authentication_prompt` action which receives the provider object and fires prior to the prompt shown on the authentication input form.
+- `two_factor_after_authentication_prompt` action which receives the provider object and fires after the prompt shown on the authentication input form.
+- `two_factor_after_authentication_input`action which receives the provider object and fires after the input shown on the authentication input form (if form contains no input, action fires immediately after `two_factor_after_authentication_prompt`).
 
 == Frequently Asked Questions ==