WordPress/two-factor

Stuck on revalidate now loop

Opened this issue · 3 comments

igorradovanov commented

Describe the bug

In cases where email doesn't work, the plugin is stuck in "Revalidate Now" mode. The solution may be to allow changing the authentication method without requiring validation if email is the primary and only method currently set up with the two-factor plugin.

Steps to Reproduce

Steps I took to reproduce the issue:

  1. I installed the plugin for the first time and chose email as the primary authentication method.
  2. The next time I logged into the WordPress Dashboard, I found that my website was not sending emails (an issue on the hosting side). To regain access, I logged in via SFTP and removed the plugin folder.
  3. Now, I want to switch from email to the authenticator app, but the plugin won't allow this because it requires me to "revalidate the session," which I can't do since email delivery is still not working on the website.

Screenshots, screen recording, code snippet

Screenshot (7)

Environment information

  • WordPress 6.6.1, Twenty Twenty Four theme
  • Google Chrome browser on MacOS Sonoma

Please confirm that you have searched existing issues in this repository.

Yes

Please confirm that you have tested with all plugins deactivated except Two-Factor.

Yes

kasparsd commented

I'm wondering if this should be the expected behaviour, and the email delivery should be fixed in order to regain access. Allowing any kind of override could be abused when the admins actually want to enforce the email second factor, for example.

The plugin now recommends enabling the backup codes which could be used in these instances.

dd32 commented

I'd suggest that the issue in this case is that Email can be activated as a 2FA method without confirmation that the user can receive emails.

Just like TOTP and Security keys require you to confirm with the device to set it up, email should too.

  • 👍2
kasparsd commented

The user email is assumed to be valid by WP core since it is also used for password resets and other critical notifications. I feel like it would also add unnecessary friction to the setup flow if we enforced email validation.

I suggest we don't implement this.