Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stuck on revalidate now loop #629

Open
igorradovanov opened this issue Aug 31, 2024 · 4 comments
Open

Stuck on revalidate now loop #629

igorradovanov opened this issue Aug 31, 2024 · 4 comments
Milestone
Future Release

Comments

@igorradovanov
Copy link

Describe the bug

In cases where email doesn't work, the plugin is stuck in "Revalidate Now" mode. The solution may be to allow changing the authentication method without requiring validation if email is the primary and only method currently set up with the two-factor plugin.

Steps to Reproduce

Steps I took to reproduce the issue:

  1. I installed the plugin for the first time and chose email as the primary authentication method.
  2. The next time I logged into the WordPress Dashboard, I found that my website was not sending emails (an issue on the hosting side). To regain access, I logged in via SFTP and removed the plugin folder.
  3. Now, I want to switch from email to the authenticator app, but the plugin won't allow this because it requires me to "revalidate the session," which I can't do since email delivery is still not working on the website.

Screenshots, screen recording, code snippet

Screenshot (7)

Environment information

  • WordPress 6.6.1, Twenty Twenty Four theme
  • Google Chrome browser on MacOS Sonoma

Please confirm that you have searched existing issues in this repository.

Yes

Please confirm that you have tested with all plugins deactivated except Two-Factor.

Yes
@kasparsd
Copy link
Collaborator

I'm wondering if this should be the expected behaviour, and the email delivery should be fixed in order to regain access. Allowing any kind of override could be abused when the admins actually want to enforce the email second factor, for example.

The plugin now recommends enabling the backup codes which could be used in these instances.

@dd32
Copy link
Member

dd32 commented Sep 2, 2024

I'd suggest that the issue in this case is that Email can be activated as a 2FA method without confirmation that the user can receive emails.

Just like TOTP and Security keys require you to confirm with the device to set it up, email should too.

@jeffpaul jeffpaul added this to the Future Release milestone Sep 3, 2024
@kasparsd
Copy link
Collaborator

The user email is assumed to be valid by WP core since it is also used for password resets and other critical notifications. I feel like it would also add unnecessary friction to the setup flow if we enforced email validation.

I suggest we don't implement this.

@jeffpaul jeffpaul removed the Bug label Dec 3, 2024
@xanathon
Copy link

I have a similar problem. After first installtation options are greyed out and I am asked to revalidate. I then have to provide a TOTP code that does not yet exist.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Future Release
Development

No branches or pull requests
5 participants
@kasparsd @dd32 @jeffpaul @igorradovanov @xanathon