Resetting password bypasses 2FA

Thank you for using our plugin @perfectsolution

Before answering your question I would like to confirm something; do you mean the user is logged in, and changes the password while logged in?

Looking forward to hearing from you.

Hi @robert681

No, the user is not logged in. The user is a non-logged in visitor requesting to reset password via WooCommerce’s forgot password form.

Thank you for the clarification @perfectsolution

We are running a number of tests today to try this. We’ll keep you updated. In the meantime, should there be anything else, do not hesitate to ask.

Have a great day.

Hello @perfectsolution

We have done a lot of testing and cannot reproduce this. It seems like we are missing some detail. Can you please share a video in which you can highlight the step by step process and highlight the issue?

To avoid sharing sensitive details on these forums, you can send us the video and all the details via email at [email protected].

We look forward to hearing from you.

Hi @robert681

After some more debugging, I managed to locate a small snippet in our source that was hooking into woocommerce_customer_reset_password and logging in users automatically after resetting the password. This action bypassed the 2FA.

The problem was entirely on our end. I am very sorry about that.

Thank you for taking time to test it and get back to us though. I wish you a pleasant day!

Thank you very much for the update @perfectsolution

No need to apologize. These things happen. As long as the source of the problem was found, all is good. Should you have any other questions, please do not hesitate to ask.

By the way, please spare a minute to rate our plugin and service. These ratings are really helpful.

Thank you and have a great day.