Authentication backend's authenticate() method is called twice during a unsuccessful authentication

[VGSebastian]

trafficstars

Similar to the behavior described in #221 for successful authentication, on unsuccessful authentication, the authenticate method is called twice:

• formtools.wizard.views.WizardView.post()
  • self.get_form_list() -> two_factor.views.core.LoginView.get_user() ...
  • form.is_valid()

Expected Behavior

Authentication should stop after the first unsuccessful authentication attempt using these credentials. If the external authentication backend locks a user after a certain number of failed attempts, each authentication attempt using the django application that uses 2fa leads to two failed attempts in the external system and hence locking the user earlier than expected.

Current Behavior

On unsuccessful authentication, the wrong credentials are sent twice to the authentication backend.

Steps to Reproduce (for bugs)

1. Create a custom authentication backend based on the default ModelBackend
2. Log calls to authenticate()
3. Try to login with wrong credentials and check the log for 2 calls to authenticate()

Context

I want to avoid locking users too early in external authentication systems.

Your Environment

• Browser and version: Firefox 70.0.1
• Python version: 3.6
• Django version: 2.2.2
• django-otp version: 0.72
• django-two-factor-auth version: 1.9.1

[CodeSpent]

Am also observing the same behavior using identical reproduction steps.

[moggers87]

@CodeSpent have you tried with a more recent version of django-two-factor-auth?