First, you need to understand what exactly 2-Factor Authentication is - you can read this blog post here explaining that.
Shield Security Plugin has integrated easy-to-use two-factor authentication. By forcing users to confirm their identity, it locks-down WordPress account access to the verified account owners only.
When 2-factor authentication by email is enabled, and a user attempts to log into their account, the system will ask:
- Does the user have a valid, two-factor authentication session that was set by the plugin?
- If so, It will query the database for the unique authentication code that the cookie should have and try to match them.
If the answer is 'Yes' and the stored authentication code is valid, then the login will be permitted.
If the answer is 'No', login will be temporarily rejected,.
This effectively tells the Shield plugin that:
- The person with that email address, connecting to the site using this particular browser is actually who they say they are
In this way, you determine that every user that logs in is valid.
What if you haven't received user verification email?
To learn how to set-up 2-Factor Authentication by email properly, please read this step-by-step settings article.