Plugin Shows Same Exact QR Code For Multiple Users During Configuration

  • Hi, I am setting up 2FA for multiple user accounts but am unable to complete configuration for some users because the plugin is displaying the same exact QR code (or typed code) for multiple users in a row. I successfully configured a few users, but now when I log into a user account that hasn’t completed 2FA setup, the same QR code appears. In my authenticator app, it shows me the same access code and when I try to enter it into the 2FA page, nothing happens. The Validate & Save button does nothing on click, and in the inspector the /admin-ajax.php file is showing a 503 Forbidden error. This makes sense because it is trying to use a code for someone else’s account, but it doesn’t make sense why the plugin is trying to assign the same code to multiple accounts. This is preventing me from finishing configuring 2FA for all users, and I can’t send the site to my client because I am concerned that when they try to set up 2FA for their own accounts, they will receive the QR code for my account. I have tried multiple browsers, I’ve cleared my browser cache, no change. It is strange because I successfully set up 3 accounts with 2FA already, so it worked for a time. I have no way to clear the server cache because the client uses Akamai for caching and doesn’t provide us access. Have you seen this before? Is there any way to resolve this?

    Thanks,

    Adam

    Plugin version: 2.8

    WordPress version: 6.4.3 (not permitted to update at this time)

    Server: nginx 1.26.2

    PHP: 8.2.27

Viewing 1 replies (of 1 total)
  • Plugin Support Lucian Padureanu

    (@lucianwpwhite)

    Hello @adamhideseek!

    My name is Lucian, and I’ll be assisting you with this interesting case. This is certainly an unusual issue, and I appreciate the details you’ve shared so far!

    Since the scenario is quite complex, I’d first like to get a clearer picture of what you’re trying to achieve:

    1. Understanding the 2FA Setup Process

    A) You mentioned that you’re setting up 2FA in advance for some users—just to confirm, are you doing this manually for each account, or are users expected to complete the setup themselves?

    b) Typically, 2FA setup is done individually, with each user using their own authenticator app. If you are centralizing this process, does that mean you (or your client) will be responsible for providing 2FA codes to these users when they log in?

    c) If the goal is for each user to have their own unique QR code, we need to determine why the same QR code is being displayed multiple times. One common cause could be caching, which might prevent the correct QR codes from being shown dynamically, or maybe, some limitation of an Authenticator app that we might not be aware just yet. (just a wild guess at this stage)

    Unfortunately, without access to clear the cache (due to Akamai), this makes troubleshooting more difficult, as I would have suggested clearing caches first, before any troubleshooting recommendations.

    2. Checking the Database Entries

    a) In a normal setup, our plugin generates a unique wp_2fa_totp_key entry in the WP_Usermeta table for each user when they configure 2FA using an authenticator app. Can you check the database and confirm whether different users are actually getting the same wp_2fa_totp_key value by any chance?

    3. Testing With Another Authenticator App

    • You mentioned that 3 accounts were successfully set up, and then the issue started. Could you try using a different authenticator app to see if the issue persists?
    • Which authenticator app have you been using so far? (e.g. Google Authenticator, Microsoft Authenticator, Authy, etc.)
    • If you scan the same QR code with a different app, does it generate the same OTP code as the first one?

      Once you check these things, we’ll have a much better idea of what’s happening. Let me know what you find, and we’ll take it from there!
Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.