cms icon indicating copy to clipboard operation
cms copied to clipboard
verified publisher icon craftcms

[5.x]: `maxInvalidLogins` does not work for 2FA

Open dgsiegel opened this issue 8 months ago • 1 comments

What happened?

Description

I'd assume that maxInvalidLogins and invalidLoginWindowDuration would also work on users with 2FA enabled, but while entering a wrong password 5 times locks your account, one can enter unlimited tokens.

Steps to reproduce

  1. Enable 2FA
  2. Enter your username and password
  3. Try all tokens until you find the correct one

Expected behavior

The user should be locked as configued with maxInvalidLogins

Actual behavior

Unlimited tries possible.

Craft CMS version

5

PHP version

No response

Operating system and version

No response

Database type and version

No response

Image driver and version

No response

Installed plugins and versions

No response

dgsiegel avatar Jun 14 '25 07:06 dgsiegel

Hi, thanks for reporting! I raised a PR for this.

i-just avatar Jun 16 '25 15:06 i-just

Craft 5.7.11 is out with that fix. Thanks again!

brandonkelly avatar Jun 24 '25 17:06 brandonkelly