So whats happening right now is when the client, logins in it asks for their User name, and then it emails them a code. When they put their code in, it automatically logs them in. Can we make it so they have to put their password in as well.
Welcome to PickPlugins.
We respect your thought. But the idea of our OTP functionality is to provide a passwordless login. And the OTP code is only valid for a couple of minutes. So, I don't think there might be any security holes.
Did you think of something like two-factor verification like Facebook?