2FA error on all users
-
Hi Defender team,
We recently installed Defender plugin on our WP instance. However, myself and other users are having issues logging into our accounts.
2FA screen says
“Whoops, the passcode you entered was incorrect or expired.”This is odd because we have all scanned the QR code on our Google Authenticator app.
Please help!
-
I also wanted to add that we have Lost Device OTP setting enabled. And when our users click on the “Lost your device?” link, it says that email is sent, but it is not coming through.
I checked to see if our company email settings are blocking any incoming emails, but there is no log that an email was even sent to us.
I really need this resolved today. We can’t get into our website at all.
I reached out to [email protected] yesterday with screenshots and further information.
2 hours later, I heard back from a representative who told me that support would follow up with me on this forum ASAP.
It’s been 2 days since I’ve reported this issue.We downloaded this plugin to try out its features, followed its instructions, it locked out me and my users, and I don’t hear back from anyone. This is unacceptable!
We need access to edit our website!
Hello @ndenlinger
I’m sorry to hear that you’re experiencing such issues and I’m sorry for the delay.
We’re trying to assist everyone as fast as we can but I’d appreciate some patience as sometimes there’s more questions to follow-up than usually and it takes a bit more time.
Getting back to issues though:
The “Whoops, the passcode you entered was incorrect or expired.” issue is usually caused by timecode/time setting discrepancies. Please make sure with your host that server time is correct and also check if the time used by WordPress is not delayed/advanced in comparison to server time (I’m not referring to time zone settings but rather to small differences such as a minute or a few minutes; sometimes such differences are happening due to some “non-standard” code in a theme or one of the plugins).
If that’s all correct, then in Google Authenticator app there’s an option in “Settings” named “Time correction for codes”. Use that option in app of every user that cannot login due to the issue that you reported and it should fix the problem.
As for e-mails. The “Lost phone” option is meant to send an email (upon request) to the registered e-mail address of a user. I understand that such e-mails are not delivered but Defender is using whatever method your WordPress is currently using to send messages and it sends them “from the site”.
By this I mean that by default it’s using wp_mail() function which, in fact, uses standard PHP mail() function and that sometimes might be an issue because hosts often put limits on number of the e-mails that can be sent or block sending e-mails to or from outside of certain/defined domains or put some super-strict spam filters that could possibly catch such messages.
Can you confirm that those “lost phone” messages weren’t moved to spam folders in target inboxes and also that all other e-mails from the site (such as e.g. user registration activation e-mails or lost password e-mails) are properly delivered?
Kind regards,
AdamHi Adam,
Thank you for following up with me. I appreciate your time in helping me troubleshoot this.
Workaround:
I signed up for 7 day free-trial where I utilized WPMU DEV 24/7 support chat feature. I chatted with Jacobo Castillo who helped with a workaround. He disabled Defender by accessing our server using FileZilla, and modifying the defender plugin folder name.This was able to get me back into our system.
Here is more context to the situation:
– There are two environments that we have setup.
1. example.com (productuion environment)
2. test.example.com (subdomain we use for staging environment)– Each environment has same user information
– We setup Defender (free) in production (example.com) first, and enabled 2FA, scanned QR code.
– We then enabled Defender (free) in staging (test.example.com) with same setup.
– When scanning QR codes, it actually didn’t create two separate Defender accounts in Google Authenticator app. It used 1 account for both production (example.com) and staging environment (environment)Troubleshooting 2FA before checking time discrepancies:
1. Used workaround to get back into production (example.com) and re-enable Defender
2. Removed/disabled 2FA for all users.
3. Logged into staging (test.example.com) and removed/disabled 2FA on all accounts.
4. Removed Defender account on Google Authenticator
5. Logged into production (example.com) and enabled 2FA by scanning QR code and checking that “Lost this device” option is on for my account.
6. Tested 2FA in production- 2FA works!
7. Logged into staging (test.example.com) and went through process of enabling 2FA.
8. Tested 2FA in staging- 2FA works!
9. Tested 2FA in production again – 2FA ERRORCould it be that maybe scanning the QR code “replaced” the account with a new account in Google Authenticator?
Troubleshooting time discrepancies
1. Used https://check-host.net/ to view server timezone and descrepencies
2. Server Local Time: PDT
3. WP Local Time: UCT-0
4. Changed WP Local Time to PDT
5. No time discrepancies notes.
6. Issue still persists with 2FA using same steps 1-9 in previous troubleshooting.Troubleshooting email
1. Checked inbox manually, “Lost phone” email were not moved to spam folders or target inboxes.
2. Our registered emails are tied to G Suite for business. Checked the email logs and tried looking to see if Google blocked “Lost phone” email. I searched for
– default subject: Your OTP code
– the recipient: my WP registered email
– time frame: within 7 days
3. Google email logs reported “No messages found. Please contact the sender for further investigation”This leaves me to think that WP is having issues sending out emails.
4. Jacobo mentioned that I should try this plugin: https://ww.wp.xz.cn/plugins/wp-mail-smtp/
5. Used this plugin to run a test, and emails are not coming through to me. I repeated steps 1-3.
6. Plugin confirmed that default mailer uses standard PHP mail()I hope this info helps!! Thanks, Adam!
– NikkiHello @ndenlinger,
I am glad to know you were able to fix it with the help of Jacobo. You can also try to use the WP Mail SMTP plugin and try to configure your email SMTP with the help of the plugin as mentioned by Jacobo and check if it works for you.
Should you have any doubts or need any help, feel free to reply in the thread below and we would be happy to help!
Regards
Prathamesh PalveHi Prathamesh,
This has not resolved my issue. The workaround only allows me to access website again by disabling Defender.
2FA still doesn’t work when I enable it for production and staging environment. (see my previous reply for details)
And I’m not sure how to configure the WP Mail SMTP plugin.Thanks,
NikkiHi @ndenlinger
Thanks for all the information and I apologize for the confusing – with us assuming it’s resolved.
The “workaround” that Jacobo helped you with would work, indeed, but just to let you regain access to 2FA-protected site. I think the “core” issue here would be what you described in your previous post about “production vs staging” testing.
I agree that it seem that for some reason whichever of these sties had 2FA enabled as second/later, seems to “overwrite” account in Google Authenticator. That’s actually strange because it’s perfectly fine for two sites to run that way – one under top-level domain and one under sub-domain – and they should both be able to use its own authorization.
But this case looks different and results of your test (especially that no additional account shows up in the app) seems to confirm that. I must admit that I’ve never came across that before! So, wondering what might be causing it, I checked what information is passed through the 2FA activation QR code and apart form some “constant” strings, it’s always
– site name (e.g. “My super site”, just like you got that set in “Site Title” option on “Settings -> General” page)
– user’s e-mail address
– issuer name (which is the same as a site name actually)
– and some “secret” (a “secret key”).
Theoretically speaking if all that is the same on two sites, it would override “account” in Google Authenticator because app would assume you’re using the same site. But taking that into account, I’d say that it’s more of a “weakness” of the protocol rather than Defender’s issue then – as we didn’t “invent” the process š
I’m not exactly sure how the entire 2FA protocol works “algorithm-wise” and how the “secret” is used but I’d like you to ask you if you could, please, test one more thing:
– could you change (on one of the sites, live or staging) the site title (via “Settings -> General” page) before enabling 2FA on it? After that, clear all caches – if there are any – and try enabling it again to see if it works.
– make also sure that on “Settings -> General” page both “WordPress Address (URL)” and “Site Address (URL)” options are reflecting actual URL of a given site (sometimes moving between production and staging might result in one of them not being updated properly; depending on the tool used).
Would you give it a try and let me know of results?
And Iām not sure how to configure the WP Mail SMTP plugin.
If you’re using GSuite (if I understand correctly) that might be a bit “tricky” as it require creatin of Google app (project) in Google Developers Console. First, you should select “Google/Gmail” in “Mailer” option on “WP Mail SMPT -> Settings” page in your site’s back-end. Then you’ll create an app and oauth crednetials so it’d be best if you’d follow this documentation straight from WP Mail SMTP plugin creators as it walks through the process “step by step”:
https://wpmailsmtp.com/docs/how-to-set-up-the-gmail-mailer-in-wp-mail-smtp/
Best regards,
AdamHello @ndenlinger
It’s been a while since we’ve heard back from you, so I’m marking this topic as resolved. Feel free to post back any updates and we’ll carry on troubleshooting.
Take care,
Dimitris
The topic ‘2FA error on all users’ is closed to new replies.
