Hello,

My team has been using the Authorizer plugin for the last few years, primarily for sites we build for colleges. We always try to force SSO (disable WordPress logins entirely) to align with the organization's security polices.

The challenge

There are two issues we run into which result in us having to "downgrade" the site's SSO settings from our preferred "Disable WordPress Logins" to the "Hide WordPress Logins" setting:

1. The client needs to provide a vendor with temporary access, most commonly a short-term contractor, or a support agent for a plugin/theme.
2. A new hire hasn't received their org email address, but the client wants them able to work within WordPress.

While not disastrous, the change to "Hide WordPress Logins" results in any WordPress account being accessible via username/password. Our intent is almost always to only allow a single or small subset of users to bypass SSO. When combined with WordPress's public user lists (/wp-json/wp/v2/users) the change makes it easier for a bot or a malicious actor to try user/pass combos (credential stuffing, etc) using the example.com/wp-login.php?external=wordpress URL.

Potential solution

We currently have this built as a standalone plugin which integrates with Authorizer. We'd be happy to share if there was interest in building something like this into the Authorizer plugin directly.

The way it functions is when a site has the "Hide WordPress Logins" setting checked it doesn't allow a user to log in unless they've been specifically allowed (via user meta):

Once a user is set to allowed they show up on a "Bypass User List" sub-page under the Authorizer settings. We felt was important to provide site admins a bird's eye view of which users are currently able to bypass SSO or it would be too easy to lose track:

With the plugin enabled, if a user/pass were used on an account that does not have "Allow WordPress Login" set to enabled they'll see an error on the login page:

In concept, this same approach could also be extended into Roles where an admin could never bypass SSO, but an Author could. Wordfence provides these types of controls when setting up 2FA, although we haven't explored role integration since our needs are primarily user specific.

Let me know if I can provide any clarification or additional background.
Thanks