README update

README.md

@@ -1,11 +1,27 @@
 # Email One-Time Password Authentication
 
-Matches only valid email from allowed domain as username. Validates client
-credentials and password if exists in current session or generates ones for
-session time on empty password treated as one-time password request.
+Validates credentials and password if exists in current session or generates
+ones for session time on empty password which is treated as one-time password
+request and sends it to an email. Matches only valid email from allowed domains
+using global `allowemailaddresses` and `denyemailaddresses` settings if set.
 
-On first login account is created if not prevented on global level 
-and parts of email address may be mapped to profile fields using 
-PCRE expressions.
 
-See [setting form help](settings.php) for mapping usage example.
+Additional security can be set:
+
+Revoke threshold: 
+  login failures limit causing revoke of the generated password.  
+
+Minimum request period: 
+  a time in seconds after which another password can be generated.
+
+
+Signup and user creation on first login takes place only in case of using email
+as username (not to be confused with the `authloginviaemail` global setting) if
+not prevented (global setting `authpreventaccountcreation`) and parts of email
+address may be mapped to profile fields using PCRE expressions.
+
+Auth instruction setting (global `auth_instructions`) is recommended depending
+on the adopted user account policy and plugin settings.
+
+
+See also: `fieldsmapping_help` setting form for [mapping usage example](lang/en/auth_emailotp.php).

auth.php

@@ -18,6 +18,7 @@
  * Email OTP authentication plugin.
  *
  * @see self::user_login()
+ * @see self::get_user_field()
  * @package    auth_emailotp
  * @copyright  2020 Pawel Suwinski <psuw@wp.pl>
  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later