NO SECURITY – any 6 digit code will silently pass

Hi, did you also set up the plugin for the profile in question? If you don’t enable the security features per profile then it will not work.

I have this plugin installed in a few websites without any issues.

Kind regards

Yes, it was setup by the previous administrator and was enabled for all important users. I can confirm it worked in the past but was entirely broken recently. To be honest, we couldn’t believe it.

Not sure if it’s incompatible with the latest wordpress or if something broke during this plugin’s standard upgrade path or if it’s something else entirely.

The fatal issue is silent failures – the failure of an important security feature should always be “in your face” and defaults etc should be biased towards that. Ideally, the plugin should present the 2FA prompt only for accounts that have 2FA enabled. Till that’s fixed in the UI (as a 2 stage login), a quick fix would be to NOT ignore any code that’s submitted (check 6 digits long and if you get a code for an account without 2FA enabled, abort + warn).

Collaborating with the “Two Factor” plugin authors isn’t a bad idea either; their implementation covers yubikeys and the login UI is done correctly as a 2 stage process.

My $0.02

Hi, if this plugin is not working for you then perhaps the following two factor might work better.

Kind regards

Thanks, we did migrate to it.

But I’m worried that you have a large number of installs and there are other reports of this issue too. So if you don’t plan on investigating and resolving this security vulnerability, a socially responsible thing to do would be to de-list this plugin and educate people on migrating away via an upgrade alert. I say that in good faith – no disrespect.

This has come up before many time, and ever time it’s turned out to be that the reporter assumed that the plugin would start working just because it was activated, which is incorrect.

In order for the plugin to work, each user needs to edit their profile and enable the setting, then configure their phone.

It’s a confusing user experience, but not a security bug.

Oh, my bad, I missed that you said earlier that you’d already done that. I re-tested this just to be sure, and wasn’t able to reproduce the bug. I wonder if there was a conflict with another plugin?

Hi @user48958,

I’m unable to reproduce this in
0.51 (with or without two screen login)
0.48

The only way I could reproduce the issue was to disable the 2fa from the user profile, by unchecking the active checkbox, and then it would accept any code as it’s no longer enabled.

If there is a concern that users are disabling this setting, from version 0.50 onwards, you can set the user roles for whom 2fa must be enabled via /wp-admin/options-general.php?page=google_authenticator

If you have any other information to reproduce this issues @user48958, please add it to the thread so that we can look into it.

Thanks,
Ivan

I just tried a clean install and have the same issue. after activating the plugin I went in and edited the user and activated it for the user. I was then able to successfully login from another computer by typing in a random 6 digit number