=== Rishav AuthNova OTP ===
Contributors: rishav001
Tags: otp, two factor, login security, sms, email verification
Requires at least: 5.8
Tested up to: 6.9
Requires PHP: 7.4
Stable tag: 1.0.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

OTP verification for WordPress login, registration, and password reset using email and SMS delivery.

== Description ==
Rishav AuthNova OTP adds a one-time-password verification layer to core WordPress authentication flows.

Features include:

* Configurable OTP length and charset (numeric or alphanumeric)
* OTP expiry and retry limits with temporary lockouts
* Login OTP verification step (after password check)
* OTP-gated registration flow
* OTP-gated password reset flow
* Delivery via wp_mail, SendGrid, and Twilio
* OTP storage using hashes (never plaintext)
* Resend OTP with cooldown and challenge rotation

Security highlights:

* OTP values are hashed before storage and are never saved as plaintext
* OTP hashes use keyed HMAC storage and constant-time verification
* OTP challenges expire automatically and enforce retry limits per challenge
* Request throttling applies cooldown and exponential backoff per IP and identifier
* Lockout windows reduce repeated invalid OTP submissions
* Nonces are applied on sensitive form submissions
* Public auth responses are intentionally generic to reduce account-enumeration leakage
* Delivery uses synchronous-first send with bounded async retry fallback and challenge-level delivery status tracking

Security limitations:

* This plugin does not replace passwords, HTTPS, WAF/rate-limiting at the edge, or secure hosting controls
* OTP delivery depends on the configured email/SMS provider uptime and deliverability
* Administrators should combine this plugin with standard WordPress hardening and monitoring

Reliability notes:

* OTP delivery is attempted synchronously first to reduce silent failures
* If synchronous delivery fails and background delivery is healthy, the plugin schedules bounded retries
* If background delivery is unhealthy (for example DISABLE_WP_CRON), fallback queueing is skipped and users receive a retry-safe error
* Resend cooldown state is server-authoritative and exposed through a status endpoint used by frontend countdown UX
* Background queue payload contains only challenge ID (no raw OTP or destination data)

== External Services ==
This plugin can connect to third-party services to deliver OTP messages. These services are optional and only used if enabled in plugin settings.

= Twilio (SMS Delivery) =
* Service: Twilio Programmable Messaging API
* Purpose: Send OTP codes by SMS
* Data sent: destination phone number, sender phone number, OTP message text, account SID for authentication
* Credential handling: Twilio credentials are stored in WordPress options and used only when sending OTP messages
* When sent: when OTP delivery method includes SMS and an OTP is generated for login, registration, password reset, or resend
* Why sent: to deliver time-sensitive OTP codes to the user by SMS
* Terms of Service: https://www.twilio.com/legal/tos
* Privacy Policy: https://www.twilio.com/en-us/legal/privacy

= SendGrid (Email Delivery) =
* Service: SendGrid Mail Send API
* Purpose: Send OTP codes by email
* Data sent: recipient email address, sender email/name, message subject, OTP message body, API key for authentication
* Credential handling: SendGrid API key is stored in WordPress options and used only when sending OTP messages
* When sent: when email provider is set to SendGrid and an OTP is generated for login, registration, password reset, or resend
* Why sent: to deliver time-sensitive OTP codes to the user by email
* Terms of Service: https://sendgrid.com/policies/terms/
* Privacy Policy: https://sendgrid.com/policies/privacy/

== Installation ==
1. Upload the plugin folder to /wp-content/plugins/.
2. Activate the plugin through the Plugins screen in WordPress.
3. Go to Settings > OTP Authentication.
4. Configure OTP rules and delivery providers.

== Configuration ==
1. Set OTP length, type, expiry, retry limit, and lockout duration.
2. Choose delivery method: Email, SMS, or Both.
3. Configure provider credentials for SendGrid and/or Twilio if needed.
4. Enable or disable OTP on login, registration, and password reset flows.

== Frequently Asked Questions ==
= Does this plugin store OTP values in plain text? =
No. OTP values are hashed before storage and verified using hash comparison.

= Can I use SMS delivery? =
Yes. Twilio is supported for SMS delivery.

= Can I use email API delivery? =
Yes. SendGrid API is supported, and wp_mail is available as a fallback.

= Does this work with the default wp-login.php flow? =
Yes. The plugin integrates with WordPress login, registration, and lost-password actions.

= What user field is used for phone numbers? =
By default, the plugin reads phone_number user meta. You can change the meta key in plugin settings.

== Screenshots ==
1. Admin settings page for OTP rules and providers.
2. OTP verification screen during login.
3. OTP-gated registration and password reset flows.

== Changelog ==
= 1.0.0 =
* Initial release.
* Added OTP flows for login, registration, and reset.
* Added SendGrid and Twilio integrations.
* Added resend cooldown UX and secure challenge rotation.
* Added configurable OTP policy controls in the admin settings page.

== Upgrade Notice ==
= 1.0.0 =
Initial stable release.