Auto Login Module does not ask for 2FA

Question

Auto Login Module does not ask for 2FA

Closed this issue 4 months ago · 5 comments

PHP version: 8.2.20
FreeScout version: 1.8.143
Database: MySQL
Are you using CloudFlare: No
Are you using non-official modules: No
Auto Login Module : 1.0.2
Two-Factor Authentication Module: 1.0.11

Hello,
our administrator has activated 2fa “Required For All Users”.
When I want to login, I am asked for the second factor. That's Okay.
But when I click on a link in an email notification, I am logged in directly without having to enter a second factor. That is not okay.
The description of the Auto Login module says:
"If 2FA authentication is enabled the user will be required to pass two-factor authentication."

Is this a bug or have I forgotten to configure something?

Greetings,
Jens

freescout-helpdesk commented 4 months ago

Yes.

Answer 1 · 2024-06-11T06:57:02.000Z

It works as designed.

Answer 2 · 2024-06-11T08:19:33.000Z

It works as designed. ???
Just so I understand correctly: the design is that the auto-login module never queries the second factor?

Answer 3 · 2024-06-11T08:33:39.000Z

But that makes this module a big security hole and I will probably have to switch it off :-(

In addition, your module description is not correct "If 2FA authentication is enabled the user will be required to pass two-factor authentication.”. You should adjust it accordingly.

Answer 4 · 2024-06-11T08:35:18.000Z

We've added a notice regarding the Auto Login process.