2FA Enabled But Non Functional

Hi David,

Have you added your IP address to the option Allowlisted IP addresses that bypass all rules in the Advanced Firewall Options section on the All Options page?

If you have then you must set up 2FA before removing your IP address otherwise you won’t be able to log in after you log out.

wfphil,

Thank you for your reply.

No, both the Allow listed IP addresses that bypass all rules in Advanced Firewall Options and Allow listed IP addresses that bypass 2FA in Login Security Settings fields are blank.

David.

Hi David,

Thanks for the update.

I would like to have a look at your Wordfence diagnostics report. Please go to the top of the “Diagnostics” tab on the Wordfence “Tools” page. There will be a “SEND REPORT BY EMAIL” button to send the diagnostics report. Enter wftest [at] wordfence [dot] com as the email and tictag as the forum username please.

Once you have emailed me the diagnostics report can you reply here to let me know that it has been sent. This is important in the unlikely event that your installation of WordPress is having an issue with sending mail.

Sent.

Hi @tictag

Sorry for the late reply, I missed this one some how.

I see that the wfls_2fa_secrets database table has zero rows which would explain why it doesn’t work. It may be that there has been database corruption.

You can try enabling the option Delete Login Security tables and data on deactivation and then set two-factor authentication up again. The option is at the bottom of the Login Security >> Settings page.

As requested, I:

– Selected the Delete Login Security tables and data on deactivation
– Deactivated, then re-activated the plugin
– Re-setup 2FA to be Required for the Administrator role, with a 1-day Grace Period.

Result:

– No change in login behaviour (not locked out, no request for 2FA)
– The dates on the Locked Out screen for all three Administrator accounts had changed to the current date

New Screenshots:

View post on imgur.com

View post on imgur.com

New diagnostic report sent.

Hi @tictag

Thank you for the update and sorry for the late reply.

I think I see what the problem could be.

As explained in our documentation the grace period on the settings page doesn’t apply to admins, only other user roles. The grace period for admins has to be set on the admin’s WordPress profile page.

Do you have 2FA set up for at least one admin as the 2FA requirement for admins will not become active until at least one admin has setup 2FA for themselves?

OK, so you’re saying that:

1. The “Locked Out” page, showing that all three Admins are locked out, should be ignored because 2FA has not been strictly speaking ‘enabled’ yet (see 2.).
2. 2FA for Admins cannot be ‘enabled’ (even if it is ‘required’) until at least one of them has setup 2FA.
3. The grace period for Admins cannot be setup on the Login Security Settings page, instead must be setup individually via the user profile page.

Have I understood?

So if I:

1. Setup 2FA for myself (as one of the three admins)
2. Setup a grace period for the other two admins (via the user profile page)

…then I should expect:

A. I will be asked for my 2FA code when I subsequently login
B. The other two admins will receive a notice when they go to login that they should setup 2FA AND if they don’t do this, they will eventually be locked out i.e. after the grace period.

Is this correct?