chore: update two-factor to 0.14.2

[sjinks]

Description

This PR updates the Two Factor plugin from 0.13.0 to 0.14.2.

Changelog Description

Changed

• Updated the Two Factor plugin from 0.13.0 to 0.14.2

Pre-review checklist

Please make sure the items below have been covered before requesting a review:

• This change works and has been tested locally or in Codespaces (or has an appropriate fallback).
• This change works and has been tested on a sandbox.
• This change has relevant unit tests (if applicable).
• This change uses a rollout method to ease with deployment (if applicable - especially for large scale actions that require writes).
• This change has relevant documentation additions / updates (if applicable).
• I've created a changelog description that aligns with the provided examples.

Pre-deploy checklist

• VIP staff: Ensure any alerts added/updated conform to internal standards (see internal documentation).

Steps to Test

Manual testing.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 35.22%. Comparing base (1f2d979) to head (e20d40d).
⚠️ Report is 37 commits behind head on develop.

Additional details and impacted files

@@ Coverage Diff @@ ## develop #6742 +/- ## ========================================== Coverage 35.22% 35.22% Complexity 5081 5081 ========================================== Files 295 295 Lines 20840 20840 ========================================== Hits 7341 7341 Misses 13499 13499 

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

Updates the bundled Two-Factor plugin to upstream version 0.14.2, including UI/UX adjustments, REST API behavior updates, and refreshed plugin assets/metadata.

Changes:

• Bumped plugin version/constants and updated readme compatibility info.
• Updated provider UI text/behavior (e.g., “Verify” labels, recommended methods display) and related CSS.
• Updated REST/API-related behavior/permissions and refreshed plugin assets (banners/icons/screenshots).

Reviewed changes

Copilot reviewed 9 out of 18 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
shared-plugins/two-factor/two-factor.php	Updates plugin header metadata and TWO_FACTOR_VERSION constant to 0.14.2.
shared-plugins/two-factor/readme.txt	Updates “Tested up to”/stable tag and documents new hooks/FAQ content.
shared-plugins/two-factor/user-edit.css	Adds styling for the new “Recommended” method marker in the UI.
shared-plugins/two-factor/class-two-factor-core.php	Introduces recommended-provider ordering/labeling and adjusts API-login and REST permission behavior.
shared-plugins/two-factor/providers/class-two-factor-provider.php	Minor instantiation update for provider singleton (new $class_name()).
shared-plugins/two-factor/providers/class-two-factor-totp.php	Updates REST route args/returns, QR/setup UI copy, and verification labeling.
shared-plugins/two-factor/providers/class-two-factor-email.php	Updates login submit labeling and minor markup tweaks in user options.
shared-plugins/two-factor/providers/class-two-factor-backup-codes.php	Updates REST route args/docs, UI labeling, and adds a warning message on regeneration.
shared-plugins/two-factor/providers/class-two-factor-fido-u2f.php	Updates plugins_url() base argument usage.
shared-plugins/two-factor/providers/class-two-factor-fido-u2f-admin.php	Minor formatting change for register-data unpacking.
shared-plugins/two-factor/assets/icon.svg	Removes the SVG icon asset.
shared-plugins/two-factor/assets/icon-128x128.png	Updates plugin icon asset.
shared-plugins/two-factor/assets/icon-256x256.png	Updates plugin icon asset.
shared-plugins/two-factor/assets/banner-772x250.png	Updates plugin banner asset.
shared-plugins/two-factor/assets/banner-1544x500.png	Updates plugin banner asset.
shared-plugins/two-factor/assets/screenshot-1.png	Updates plugin screenshot asset.
shared-plugins/two-factor/assets/screenshot-2.png	Updates plugin screenshot asset.
shared-plugins/two-factor/assets/screenshot-3.png	Updates plugin screenshot asset.

[Copilot]

The href uses esc_url( $totp_url ), which will strip the otpauth:// scheme unless it’s explicitly allowed. That can turn the value into a protocol-relative URL and send the shared secret to an unintended host if clicked. Since $totp_url is already sanitized with esc_url_raw( ..., array( 'otpauth' ) ), the output should preserve that scheme (e.g., pass the allowed protocols when escaping, or output the already-sanitized value).

Suggested change

	<a href="<?php echo esc_url( $totp_url ); ?>">
	<a href="<?php echo esc_url( $totp_url, array( 'otpauth' ) ); ?>">

[Copilot]

This new esc_html_e() call is missing the text domain argument ('two-factor'), which breaks translation loading and will likely fail WordPress i18n PHPCS checks.

Suggested change

	<em><?php esc_html_e( 'This invalidates all currently stored codes.' ); ?></em>
	<em><?php esc_html_e( 'This invalidates all currently stored codes.', 'two-factor' ); ?></em>

[sjinks]

Fixed in the master branch: https://github.com/WordPress/two-factor/blob/master/providers/class-two-factor-backup-codes.php#L179