two-factor icon indicating copy to clipboard operation
two-factor copied to clipboard
verified publisher icon WordPress

Stuck on revalidate now loop

Open igorradovanov opened this issue 1 year ago • 6 comments

Describe the bug

In cases where email doesn't work, the plugin is stuck in "Revalidate Now" mode. The solution may be to allow changing the authentication method without requiring validation if email is the primary and only method currently set up with the two-factor plugin.

Steps to Reproduce

Steps I took to reproduce the issue:

  1. I installed the plugin for the first time and chose email as the primary authentication method.
  2. The next time I logged into the WordPress Dashboard, I found that my website was not sending emails (an issue on the hosting side). To regain access, I logged in via SFTP and removed the plugin folder.
  3. Now, I want to switch from email to the authenticator app, but the plugin won't allow this because it requires me to "revalidate the session," which I can't do since email delivery is still not working on the website.

Screenshots, screen recording, code snippet

Screenshot (7)

Environment information

  • WordPress 6.6.1, Twenty Twenty Four theme
  • Google Chrome browser on MacOS Sonoma

Please confirm that you have searched existing issues in this repository.

Yes

Please confirm that you have tested with all plugins deactivated except Two-Factor.

Yes

igorradovanov avatar Aug 31 '24 11:08 igorradovanov

I'm wondering if this should be the expected behaviour, and the email delivery should be fixed in order to regain access. Allowing any kind of override could be abused when the admins actually want to enforce the email second factor, for example.

The plugin now recommends enabling the backup codes which could be used in these instances.

kasparsd avatar Aug 31 '24 12:08 kasparsd

I'd suggest that the issue in this case is that Email can be activated as a 2FA method without confirmation that the user can receive emails.

Just like TOTP and Security keys require you to confirm with the device to set it up, email should too.

dd32 avatar Sep 02 '24 03:09 dd32

The user email is assumed to be valid by WP core since it is also used for password resets and other critical notifications. I feel like it would also add unnecessary friction to the setup flow if we enforced email validation.

I suggest we don't implement this.

kasparsd avatar Sep 19 '24 08:09 kasparsd

I have a similar problem. After first installtation options are greyed out and I am asked to revalidate. I then have to provide a TOTP code that does not yet exist.

xanathon avatar Dec 19 '24 07:12 xanathon

Seems to be a duplicate of (or at least related to) #572.

kasparsd avatar Jan 09 '25 12:01 kasparsd

I have a similar problem.

Steps I took to reproduce the issue:

  1. I installed the plugin for the first time and chose email as the primary authentication method.
  2. I was then presented with the Revalidate session button, which I clicked.
  3. I received the email authentication code successfully and input it into the field
  4. I was then brought back to the user profile page and the Revalidate session button is still there and the options are still greyed out. I click the button and the loop begins again.

I now cannot disable 2FA or change authentication method on my account without disabling the entire plugin. I have used this plugin on multiple other sites with no issue, this is the first time I have seen this. The only difference between them is that the site with this issue is a multisite. As well, when I look in the database the sites that are working have various _two_factor_ usermeta fields set, whereas in the multisite there aren't any usermeta fields at all beginning with _two_factor_

I am using WordPress version 6.8.1

zealdev avatar May 28 '25 08:05 zealdev