No security issues were found from a basic review of the code.
Reason for the 'Use with caution' result
The plugin has been given this recommendation at the tester's discretion:
As this is a plugin that modifies login functionality, there are points to be aware of during setup and installation, to avoid locking oneself out of the website, specifically:
Note installation advice on plugin page to “Make sure your webhost is capable of providing accurate time information for PHP/WordPress, ie. make sure a NTP daemon is running on the server.”. As per the FAQs, also ensure you have an initial login or recovery option in case the plugin activation prevents login (such as another user without GA enabled, that key roles don’t have mandatory GA set, and/or SSH/SFTP access to disable or delete the plugin).