django-two-factor-auth icon indicating copy to clipboard operation
django-two-factor-auth copied to clipboard

Published 20 hours ago verified publisher icon jazzband

Invalid token when trying Phone SMS backup method while Email is the primary authentication method

Open inellas opened this issue 2 years ago • 0 comments

This might look similar to the issue described in #473 but is different. It refers to version 1.14.0 and specifically only to the case where Email has been configured as the primary method and Phone sms as the backup authentication method. Please, can someone also confirm that the behavior described below can be reproduced?

Expected Behavior

In the login screen where the user is being asked to enter the token received by the primary method (Email), clicking on the alternative method to sent the token by SMS and submitting it to the login form should result in a successful login.

Current Behavior

After submitting the valid code received by SMS (as a backup method), it is not accepted and the user is redirected to the previous login screen with an error message for 'Invalid token' displayed.

Steps to Reproduce (for bugs)

  1. Enable two factor authentication from the setup wizard by selecting Email as the (primary) authentication method.
  2. Add a phone number as a backup method and verify it.
  3. Logout and open the login page again, enter your credentials (if any).
  4. When prompted to enter the authentication token, click the button to send a token to your phone number instead (alternative method).
  5. Enter in the new form the valid token received by SMS. Instead of a successful login, you get an error message for invalid token and are redirected to the previous login screen.

Context

Providing 2-factor authentication to users by combining Email as main authentication method and Phone SMS as the backup method (a rather popular use case) seems to be problematic. Interestingly, when configuring the token generator mobile app as the primary method and the SMS as the backup method, the issue does not occur and the user is able to successfully enter the sms token.

Your Environment

  • Browser and version:
  • Python version: 3.8.10
  • Django version: 3.2
  • django-otp version: 1.1.3
  • django-two-factor-auth version: 1.14.0

inellas avatar Dec 08 '22 19:12 inellas