=== Holovid® Secure Connect ===

Contributors: holovid2
Tags: 2fa, two-factor, security, authentication, anti-phishing
Requires at least: 5.8
Tested up to: 7.0
Stable tag: 1.2.14
Requires PHP: 7.4
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Two-factor authentication: TOTP codes or codeless Secure Connect login. Anti-phishing, encrypted secrets, no external dependencies.

== Description ==

You have a WordPress site and you want to protect it from hackers? This plugin is made for you!

Today, a simple password is no longer enough. Hackers have tools to guess, steal or intercept them. Two-factor authentication (2FA) is like adding an extra lock to your door: even if someone finds your key, they cannot get in without the second lock.

Holovid® Secure Connect offers you two ways to protect your site:

- TOTP mode (temporary code)

A 6-digit code that changes every 30 seconds. You find it in the Holovid® ID app on your phone (or in Google Authenticator, Authy, etc.). You type the code, and you are in. It is the most common system, compatible with all authenticator apps.

- Secure Connect mode (codeless)

This one is even simpler: you do not type anything at all. A QR Code appears on your WordPress login page, you scan it with the Holovid® ID app, you confirm with a tap on your phone, and you are logged in. Fast, effortless.

But Secure Connect is not just convenient. It protects you against a particularly sneaky category of attacks: proxy phishing (known as "AiTM" attacks, such as Tycoon 2FA or EvilProxy). These attacks create a fake copy of your login page to intercept your TOTP code in real time. With Secure Connect, this technique does not work, because the signature is bound to the real domain of your site.

Both modes can coexist on your site. Each user chooses the one they prefer from their profile.

= What makes this plugin different =

- Two levels of protection to choose from: a classic temporary code or a codeless login from your phone.
- Resistant to proxy phishing: Secure Connect prevents hackers from intercepting your authentication, even if they copy your login page.
- Nothing leaves your server: TOTP mode works without calling any external service. The QR Code is generated directly by your server, in pure PHP, without going through Google or any other service.
- Your secrets are encrypted: TOTP keys are protected with AES-256-GCM encryption in your database. Even if the database leaks, they remain unreadable.
- One device = one account: each WordPress account is linked to a single phone. If someone tries to log in with a different device, the plugin detects it and denies access.
- Backup codes: in TOTP mode, 10 single-use codes are generated in case you lose your phone.
- Lightweight and dependency-free: no external library, no third-party service on the TOTP side. The plugin does everything itself.
- French and English: the interface automatically adapts to your WordPress language.

= In a nutshell =

| | TOTP (temporary code) | Secure Connect (codeless) |
|---|---|---|
| How does it work? | You type a 6-digit code | You scan a QR Code and confirm |
| Compatible with other apps? | Yes (Google Authenticator, Authy, etc.) | No, Holovid® ID only |
| Works offline? | Yes | No (requires internet) |
| Resistant to proxy phishing? | No | Yes |
| Backup codes? | Yes (10 codes) | No (an admin can deactivate) |

== Installation ==

It is quick, about 2 minutes:

1. In your WordPress admin, go to: Plugins > Add New
2. Click "Upload Plugin", choose the ZIP file, then click "Install Now"
3. Activate the plugin
4. Go to your Profile (top right, click your name, then "Edit Profile")
5. Scroll down to the "Holovid® ID" section

	To activate TOTP mode:

- Click "Enable TOTP 2FA"
- Scan the QR Code that appears with the Holovid® ID app (or another authenticator app)
- Enter the 6-digit code to confirm
- Write down the 10 backup codes somewhere safe (on paper, for example). If you lose your phone, these are what will let you log back in.

	To activate Secure Connect mode:

- Click "Enable Holovid® Secure Connect"
- Scan the QR Code with the Holovid® ID app
- Confirm the registration on your phone
- That is it. Next time you log in, a QR Code will automatically appear on the login page.

== Frequently Asked Questions ==

= I already use Google Authenticator, does it work? =

Yes. TOTP mode uses the same standard as Google Authenticator, Authy, Microsoft Authenticator and all similar apps. If you are used to these apps, you will feel right at home.

= What is the difference between TOTP and Secure Connect, in practice? =

With TOTP, you open your app, read a 6-digit code, and type it on your site. It is simple and it works well.

With Secure Connect, you do not type anything. A QR Code appears, you scan it, you confirm on your phone, and you are in. On top of being faster, Secure Connect protects you against proxy attacks (when a hacker creates a copy of your login page to steal your code in real time). TOTP does not protect against that.

= Is my data safe? =

Yes. TOTP secrets are encrypted with AES-256-GCM (an encryption standard used in banking and military applications) directly in your database. Secure Connect keys are generated and stored on your phone, in the system's secure keychain (Keychain on iPhone, Keystore on Android). They never leave your device.

= I lost my phone, what do I do? =

In TOTP mode: use one of your 10 backup codes to log in. If you had a HOLOVID® Cloud backup, you can also restore your accounts on a new phone.

In Secure Connect mode: ask a site administrator to deactivate Secure Connect on your account (from your WordPress profile). Then you can reactivate it with your new phone.

= Can I use Secure Connect on two phones? =

No, one phone per account. This is a security choice: if someone steals your credentials, they cannot register their own phone as long as yours is active. To switch phones, deactivate Secure Connect from your profile, then reactivate it with the new one.

= Does Secure Connect need internet? =

Yes. When you scan the QR Code, your phone communicates with the Holovid® ID server (hosted in France) to verify the signature. TOTP mode, on the other hand, works completely offline.

= Does it slow down my site? =

No. The plugin only loads its scripts on the login page and on the profile page. It does not touch the rest of your site. On the TOTP side, everything is calculated locally, with no network calls.

= Is it free? =

Yes, the plugin is entirely free and will remain so.

== Screenshots ==

1. The Holovid® ID section in the user profile, with both modes side by side: TOTP on the left, Secure Connect on the right
2. TOTP setup: the QR Code to scan with your authenticator app
3. 6-digit code verification to activate two-factor authentication
4. The 10 backup codes to write down after TOTP activation
5. Secure Connect registration: the QR Code to scan with Holovid® ID to link your phone
6. WordPress login page with the Secure Connect QR Code (codeless mode)
7. WordPress login page with the TOTP input field and the 30-second countdown

== External services ==

This plugin connects to the Holovid® ID server for the Secure Connect (codeless) authentication mode. The TOTP mode does not use any external service.

= Holovid® ID API (api.holovid.net) =

When Secure Connect is enabled, the plugin communicates with the Holovid® ID API hosted in Gravelines, France, in the following situations:

- **Registration**: when a user activates Secure Connect, the plugin requests a cryptographic challenge from the API. The site domain name is sent.
- **Login**: when a user logs in with Secure Connect, the plugin polls the API to check whether the user has confirmed the authentication on their phone. The challenge nonce and session token are sent.
- **Device verification**: when a device change is detected, the plugin checks with the API whether the previous device registration is still active. The account identifier and site domain are sent.
- **Login page**: the Secure Connect login page loads a JavaScript SDK from the API server to display the QR Code and handle the authentication flow.

No personal data (name, email, password) is ever sent to the API. Only cryptographic identifiers (nonce, session token, account ID) and the site domain are transmitted.

This service is provided by Holovid SAS (Bergerac, France).

- [Terms of Service](https://holovid.cloud/conditions-generales-dutilisation/)
- [Privacy Policy](https://holovid.cloud/politiques/)

== Changelog ==

= 1.2.12 =
* WordPress 7.0 compatibility
* WordPress Plugin Check compliance (escaping, enqueued scripts, input sanitization)

= 1.2.11 =
* Rebranding: HoloID becomes Holovid® ID throughout the plugin
* Text-domain migration to holovid-secure-connect
* WordPress 6.9 compatibility

= 1.2.10 =
* Minor bug fixes

= 1.2.9 =
* Minor bug fixes

= 1.2.8 =
* Full internationalization of the plugin (French and English)
* Translation files .pot / .po / .mo

= 1.2.7 =
* Added Holovid® Secure Connect logo on the login page
* Secure device verification: on device change, the plugin checks with the server whether the previous registration is still active
* Full login field hiding on the Secure Connect page

= 1.2.6 =
* Redesigned admin interface (two columns, glassmorphism modals)
* Secure Connect registration QR generation directly from the profile
* Cross-device freeze bug fix
* Security fix: account_id validation in WordPress polling

= 1.2.0 =
* New Holovid® Secure Connect mode (codeless authentication, anti-AiTM)
* SovereignAuth JavaScript SDK integration
* Device binding per WordPress account
* Both modes (TOTP / Secure Connect) coexist

= 1.1.0 =
* PHP QR generator rewritten (versions 1-10, Reed-Solomon)
* Multilingual support (FR/EN)
* WordPress 6.7 compatibility

= 1.0.1 =
* Improved and enlarged QR Code
* QR generator fix

= 1.0.0 =
* Initial release, TOTP mode only