Not forced users with set secret can login with empty OTP

Hi did you enable the plugin for all users? If you don’t then a user that is not force to use this plugin can log into your site with with an empty OTP.

Yes, I don’t enabled anyone except Administrators. It’s clear now. Thanks.

You are most welcome ??

Hi,
Jumping in here with a quick followup question.
So, we don’t necessarily want to force every user to use 2FA. For example, in our case, some Editors use 2FA and some don’t.
But, once 2FA is enabled on an account, shouldn’t that be mandatory?

@baeldung, is your set up a Multisite or a single site. If 2FA is setup for a user then that user will not be able to log in unless they enter the passcode.

It’s a single site.
OK, so then we definitely have an issue on our end – because – yes, that was my thinking as well. Once a user has 2FA enabled, they shouldn’t be able to log in without it.
However, that’s now the way it works right now.

So – what would be the best way to reproduce the issue. I could either record a quick video to show you the problem, or give you access to one of our staging environments. Or would another way work better?

Thanks,
Eugen.

@baeldung, you can try the following.

Disable all your other plugins except this one, then carry out a test. Also make sure you clear your cache if you have a cache plugin installed.

Regards

Sure, will do – I’ll let you know here how that went.

Hi,
Quick update here – we tested it with no plugins, and the issue is still there.
I can share access to the staging environment we used, but I’m not sure how to do that exactly – would that help?

Cheers,
Eugen.

Hi Eugen, please check the following documentation. Let me know if this is what you did for any user you want to enable Google authentication login.

Thank you

Thanks for the link – that’s an interesting read.
However, I’m not sure it applies – we’re using the latest version of WordPress 4.8.3 (soon to be upgraded to 4.9 – which came out yesterday).

Hi, that documentation also works with WordPress 4.8.3. I have this plugin installed in many of my sites.

That is how the plugin works.

OK, that’s fine.
But, I went through the documentation and I’m not sure I understand what the issue is.
My issue is that a user that has 2FA enabled can log in without it.
The documentation doesn’t deal with that case.
So – is this a bug? Or am I missing something here?

Thanks,
Eugen.

I have not come across this issue myself.

Only the plugin developer can reply to your issue. I am out of ideas, sorry about this.

Kind regards

No worries, thanks for looking into it.