wp-webauthn icon indicating copy to clipboard operation
wp-webauthn copied to clipboard

Published 20 hours ago • verified publisher icon yrccondor

Incompatibility with Two Factor Feature Plugin

Open alexclst opened this issue 1 year ago • 1 comments

I have deployed the Two Factor feature plugin on all my sites. The WP-WebAuthn plugin seems to be hiding the field for the second factor auth code when users try to log in with the normal way with username/password and have two factor turned on. This is no problem if all users always use WebAuthn, but we aren't anywhere near that yet and so it effectively locks users who don't use Webauthn and do use two factor out. I see this incompatibility on some sites, but not on others, and have yet to determine why that may be (it isn't network, I checked that), but know that with this plugin deactivated all is well again.

When WP-Webauthn is on and is hiding the auth code field of Two Factor the auth code field's markup on the login page looks like this:

<p style="display: none;">
	<label for="authcode">Username</label>
	<input type="tel" autocomplete="off" name="authcode" id="authcode" class="input" value="" size="20" pattern="[0-9]*">
</p>

Normally that auth code field looks like this when WP-Webauthn is not active or for the unknown reason is not interfering:

<p>
	<label for="authcode">Authentication Code:</label>
	<input type="tel" autocomplete="off" name="authcode" id="authcode" class="input" value="" size="20" pattern="[0-9]*" data-com-onepassword-filled="light">
</p>

Since on the same site all I can change is enabling or disabling WP-Webauthn and the auth code field for Two Factor disappears or appears, I feel like there may be something in the javascript of WP-Webauthn that is the problem and may need some more specificity to not take away the auth code field of Two Factor.

I really like this plugin otherwise and look forward to being able to deploy it to my client sites, but simply cannot deploy it right now because I need the Two Factor plugin to work as well. Since that plugin is a "feature plugin" of WP, it may someday be part of WP Core, and so making sure that WP-Webauthn plays nicely with it I think is important.

alexclst avatar Sep 14 '22 22:09 alexclst

Hi, Sorry for the late response, I've managed to duplicate the bug. The javascript from wp-webauthn identifies the auth code field as the username field in the normal login form and thus cause the problem. I'll fix this in few days.

yrccondor avatar Sep 19 '22 01:09 yrccondor

@yrccondor any idea when you'll update the plugin on WP.org to include this important fix?

alexclst avatar Jul 01 '23 16:07 alexclst

Hi alexclst I'm really sorry for the delay. I planned to release the update together with other features a month ago. however since then I was working on an important private project and had no time for this plugin. I'll get back to this project in few days so don't be worry! Sorry again for the lack of updates

yrccondor avatar Jul 02 '23 02:07 yrccondor